David A. Ranch wrote:
Well, I'm worried about the big ones. For example:
[snip]
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D
$universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D
$universe/0 6000 -o
Shouldn't that be port range
Shouldn't that be port range 6000:6007 for Xwindows?
Well.. yes and no. X starts at port 6000 and works its
way up if 6000 is busy. I haven't seen X get through
when 6000 is blocked. Have you?
I missed the beginning of the conversation but it appears you're looking at
securing high ports,
David A. Ranch wrote:
I found in writing firewall rules, its easier to do a "blanket" deny
policy, (so you get all your bases), then only do "accept" for those
services you want to allow.
Why not a blanket REJECT?
Personal preference, DENY drops the packet, REJECT sends back an ICMP
Yes, I have. When I asked about it on a different list, I was recommended
to block 6000:6007 since then I've never seen a problem. The explanation
was that some (not all) recent Xservers listen on 6000:6007. (I don't
remember which of the commercial servers I was trying out at the time.)
On 11 Feb 99, at 11:36, David A. Ranch wrote about
"[masq] How a firewall works...":
|...
| Now, I don't want to confuse you more but you might be thinking
| that letting in ALL high ports back into your Linux box is
| a BAD thing.
|
| You know what?.. YOUR RIGHT!
|...
Why,