transop at sympatico.ca
Thu Oct 17 19:17:32 EDT 2002
> If you're never running any services it is fine to have this line in
> the firewall rules. Services you may wish to run include: ssh in to
> your box from outside, and boxes on the inside connecting to your
> box (eg, to treat it as a mail server).
> You can find this line to a particular interface only, so that
> localhost, and any boxes on the inside (yeah I know you don't have
> any yet ;) can connect ok.
> > [gr] What problems?
> Many services assume they can connect to localhost. Not having it
> present can cause problems like mail not working, news not working,
> etc, etc. It'd be like dropping the lo interface, which is similarly
> a bad thing.
> > [gr] Is there an advantage to tying these down? If not, then it's
> > not worth doing it, right?
> It's always worth tying stuff down :)
> Here is what I have for icmp right now:
> # Allow these ICMP types back in
> ICMPALLOW="0 3 4 5 6 9 10 11 12 15 16 30 31 32 35 36"
> # Allow these icmp types
> for I in $ICMPALLOW
> iptables -A ICMP -p icmp --icmp-type $I -j ACCEPT
> As can be seen, this is in the "ICMP" chain but you could do it in
> any chain you like. I have my INPUT & FORWARD chain feed to a
> FIREWALL chain, where I then split it off as appropriate to
> different chains. The extensive use of chains decreases the number
> of rule parses required for a given packet and means each given rule
> needs on;y have certain parameters set. The rule above will only be
> hit by things entering my external network interface.
[gr] Rob, thanks for the info. That's yet another area I know little
about. So much reading, so much to learn. I think I'm going to have to
start giving up soem of my "religious" discussion groups on the 'Net
and start learning more about the OS I like so much. Again, my thanks.
More information about the OCLUG