Check out the following thread on the UK2 egroups message board: http://groups.yahoo.com/group/raq/message/9531
The firewall-on script does a reasonable job of setting up IPchains for basic usage. There have been some recent changes to the recommended setup, try searching the message board for firewall-on. Regards Lawrence ----- Original Message ----- From: "Domain Guy" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 27, 2001 6:17 PM Subject: [cobalt-security] Calling all IPChain Gurus > Pardon the obviously wanker address, but I wish to keep the current state of > our site's security (or lack thereof) less than well known. > > -- > > After scouring dozens of helpful posts and resources I am finally beginning > to get a bit of handle on IPChains. Which is to say that I am still fairly > lost ;) > > So far, I am using the rules generated via the firwall configurator found > at: > > http://www.linux-firewall-tools.com/linux/firewall/index.html > > I am still uncertain if the rules that are set are appropriate. I am > looking for a set of IPChain commands that I can run via a shell script that > will reject (with logging?) everything, with the exception of the following: > > > - allow FTP access *to* the machine but only from a priviledged IP > > - allow FTP access *from* the machne (to get files etc.) > > - allow mail to get to the machine (this box will run sendmail with POP > clients accessing it) > > - allow mail to get out (not only will the webserver send mail, but so will > POP clients) > > - allow SSH access (to and from the machine) > > - allow DNS to operate (this box is a web server that will also act as its > primary dns, at least to start) > > - allow web in, including SSL access and also admin access (port 81) > > - allow web out (command line lynx, wget etc.) > > > Basically your standard web server/small time web host setup. > > Any input would be extremely helpful, and would go towards a > mini-cobalt-as-webserver/webhost-ipchains FAQ that I will eventually > compile... if this doesn't first drive me batty instead. > > Best regards, > Gordon > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
