Ok, I see. If you add a rule to allow access to ssh to an IP only, you are supposed to add a rule next to deny access to all other addresses.
Since I only want to have ports 80 and 443 open in my server, as well as 22 and 81 for restricted access, I wonder if I could do with these rules: $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 80 -j ACCEPT $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 443 -j ACCEPT $IPCHAINS -A input -p tcp -s MY-IP/MY-NETMASK -d $OUTERNET 22 -j ACCEPT $IPCHAINS -A input -p tcp -s MY-IP/MY-NETMASK -d $REMOTENET 81 -i $OUTERIF -j ACCEPT $IPCHAINS -A input -j DENY -s $REMOTENET -d $REMOTENET -i $OUTERIF I understand that this would DENY all traffic, except http and https for the outside world, and only accept ssh and port 81 connections from the IPs I define. Am I right. Any advise will be much appreciated before I put these rules in practice, as I do not want to be kicked out of my machine :-) Regards, Francisco ----- Original Message ----- From: "Gerald Waugh" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, 17 January, 2002 16:40 Subject: Re: [cobalt-security] Portsentry, ipchains and pmfirewall > On Thu, 17 Jan 2002, Francisco S�nchez wrote: > > Now I have installed on my RaQ3 ipchains and pmfirewall, along with > > portsentry. > > > > However there are a couple of things I don't have clear: > > > > - 1. When using ipchains, you can choose either to reject or deny > > connections to a particular port. However you can also allow connections to > > a port to a given IP address and netmask. That is what I have done with, > > for expample, ssh. My question here is, for those people who try now to > > connect by ssh from an IP other than those allowed, what will the get, > > reject or deny? > > They will get what ever you have for example ssh default set for. > you need a rule to deny or reject ssh > > > -2. Also, with portsentry, there is an ignore file, but I have seen that > > after a restart or reboot, the entries you add there are deleted. However, > > the IP addresses for the machine and 127.0.0.1 are always there. How can an > > IP or IP range be added permanently to that file? > > Can't help on this one, since I use ipchains, I don't use portsentry. > > -- > Gerald Waugh > Registered Linux User 255245 > register at http://counter.li.org > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
