Sorry for so many questions, but also for example, I can see valid smtp sessions in netstat like this:
tcp 0 0 server1.americasnet.co:smtp 89.165.43.31:17761 SYN_RECV Would this traffic be blocked since it has a random destination port of 17761? On Mon, 2008-09-08 at 20:56 -0700, Ricardo Kleemann wrote: > I apologize for my lack of knowledge. > > Ok, but I have some doubts as far as how I would go about first blocking > all traffic "anywhere" from the servers lan except for the few ports > allowed. > > For example, won't dns requests use random source ports when queries are > made? Something like (from lsof on the server), I have some named > entries like this: > > named 1620 named 29u IPv4 102898568 TCP > server1.americasnet.com:32858->cpe-24-24-238-161.socal.res.rr.com:domain > (SYN_SENT) > named 1620 named 30u IPv4 102906041 TCP > server1.americasnet.com:57631->cpe-24-24-213-189.socal.res.rr.com:domain > (SYN_SENT) > > > If I REJECT all traffic, would random source ports like this be blocked, > or would opening up domain take care of that? > > > Another question, should the REJECT rule be at the end of the rules file > so that it picks up only after all the ACCEPT rules? > > > > > > On Mon, 2008-09-08 at 19:43 -0700, Tom Eastep wrote: > > Ricardo Kleemann wrote: > > > > > However I understand I need to also block outbound for those ports as > > > being sources as well. How would I go about doing that? > > > > I have no idea what you are talking about. The rules that you posted looked > > adequate to me (or at least as adequate as is possible in your case). > > > > -Tom > > ------------------------------------------------------------------------- > > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > > Build the coolest Linux based applications with Moblin SDK & win great > > prizes > > Grand prize is a trip for two to an Open Source event anywhere in the world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > > _______________________________________________ Shorewall-users mailing > > list Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
