Re: firewall advice

2002-12-16 Thread Lars Ellenberg
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to

Re: firewall advice

2002-12-16 Thread Jeffrey Taylor
I am using the v1 scripts on Debian 3.0r0. IIRC, I had to change one directory in the INSTALL script. SuSE puts the symlinks in /etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/. Edit the script before running it. I like it because it works at the policy level of Internet, DMZ, and

Re: firewall advice

2002-12-16 Thread Rolf Kutz
* Quoting andrew lattis ([EMAIL PROTECTED]): #connections to lo $iptables -A OUTPUT -p ALL -o $lo_iface -s $lo_ip -j ACCEPT #allow the rest $iptables -A OUTPUT -p ALL -o $eth_iface -s $eth_ip -j ACCEPT #log the rest $iptables -A OUTPUT -m limit --limit $log_limit --limit-burst

Re: firewall advice

2002-12-16 Thread Lars Ellenberg
On Sun, Dec 15, 2002 at 07:15:25PM -0800, Torrin wrote: I'll also add connection tracking in my iptables script. Is there anything I can do in my ipchains script? did you ever look at the SuSEfirewall{,2} scripts by marc heuse? GPL, will work with any distro, maybe small changes where to

Re: firewall advice

2002-12-16 Thread Vineet Kumar
* Torrin ([EMAIL PROTECTED]) [021215 19:21]: Nicolas Boullis wrote: * Torrin ([EMAIL PROTECTED]): iptables -A INPUT -i eth0 -j ACCEPT -p TCP -s 0.0.0.0/0 --source-port domain #53 iptables -A INPUT -i eth0 -j ACCEPT -p UDP -s 0.0.0.0/0 --source-port domain #53 Hey! I'm a nice port,

Re: firewall advice

2002-12-16 Thread Jeffrey Taylor
I am using the v1 scripts on Debian 3.0r0. IIRC, I had to change one directory in the INSTALL script. SuSE puts the symlinks in /etc/init.d/rcX.d and Debian puts them in /etc/rcX.d/. Edit the script before running it. I like it because it works at the policy level of Internet, DMZ, and

firewall advice

2002-12-15 Thread Torrin
I changes the subject and started a new thread here. Anyway . . . Nicolas Boullis wrote: You should add the rule: $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED Thanks, those rules that I gave as an example are from my workstation which has 2.4 kernel installed. I

Re: firewall advice

2002-12-15 Thread andrew lattis
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote: I changes the subject and started a new thread here. Anyway . . . # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all.

firewall advice

2002-12-15 Thread Torrin
I changes the subject and started a new thread here. Anyway . . . Nicolas Boullis wrote: You should add the rule: $IPTABLES -A INPUT -j ACCEPT -i eth0 -m state --state ESTABLISHED,RELATED Thanks, those rules that I gave as an example are from my workstation which has 2.4 kernel installed. I

Re: firewall advice

2002-12-15 Thread andrew lattis
On 2002/12/15 07:15:25PM -0800, Sun, Torrin wrote: I changes the subject and started a new thread here. Anyway . . . # Drop spoofed packets iptables -A INPUT -i eth0 -j DROP -s 192.168.1.3 -d 0.0.0.0/0 What about outgoing spoofed packets? They didn't get dropped in this script at all.