Hi Chris:
May I respectfully suggest a completely different approach?
My reasoning for doing so follows this path: Maintaining a software
firewall can be extremely challenging. They can be tricked, hacked and
of course there are unintentional errors, even if one installs one or
another piece of software -- say tripwire -- to watch it and any
changes to your system for you.
The alternative is to go to a hardwired firewall, plug it in and go
about your business dedicating your time to something else which
absolutely requires your attention.
This little device has done it's job over and time again (for me) and
others and maybe if you consider it, you'll discover more time for
other issues. The really hot thing about this device is that it does
way more than what iptables can do for you anyway and the device works
independently of any operating system. It is designed to work on
networks faster dial-up; so it can sit between the incoming signal and
the router feeding the rest of the network which means that anything
coming past the device to the router is clean. So anything connected
to that router -- wireless or otherwise -- are also clean as far as the
signals they are receiving. Of course, making sure the internal nets
are clean is the job of the sys.admin.
Here's the link for you to review and consider:
http://www.thinkgeek.com/computing/accessories/75f3/
Of course, you could refer to IPCop.org, netfilter.org, or tldp.org ...
but after the Stingray, all of that will become mere reference
material.
Best wishes.... Derick.
On May 15, 2006, at 9:28 AM, Chris St. Pierre wrote:
Last week, I brought up iptables on my YDL 4 box with a very basic
configuration, and all was working well. This morning, at about 8 am,
it randomly started rejecting ping traffic. Restarting iptables did
not solve the problem. My iptables configuration has not changed
since Thursday afternoon. Here's my /etc/sysconfig/iptables:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5308
-j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5666
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
As you can see, this is a very basic configuration that works on many
other hosts -- and, in fact, worked on this host for a while, too.
Any ideas? Thanks!
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
_______________________________________________
yellowdog-general mailing list
[email protected]
http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
_______________________________________________
yellowdog-general mailing list
[email protected]
http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
