> [...] > I want to block certain services for the outside world (like lpd etc) but NOT > for the inside network > I thought I could block it with ipchains -A input -p tcp -d xxx.xxx.xxx.xxx > 515 -j DENY > But if I telnet from a outside host to that port I can still connect
This is odd. You shouldn't be. Are you trying to just protect a single host or a complete subnet ? If it is the latter, be aware that you need to specify the netmask along with the network. i.e: 'ipchains -d 1.2.3.0/255.255.255.0 515 -p tcp -j DENY' to block all traffic to lpd daemons on the network. (btw... you can also use 24 instead of 255.255.255.0). Be also aware of the -i switch of ipchains which allows you to specify which interface the rule is applied on. This will make it easier for you to change incoming traffic from the outside world. > Well I think thats because the INPUT policy is ACCEPT (I think change that to > DENY is rather not a good idea) I'd also like to suggest that you reconsider changing your default policy to DENY to strengthen your network security. Fail-open approaches are *bad*. > Is there another solutions for this ? Hope I was of any help Cheers, -Ralf -- PGP key fingerprint: 2048/46C772078ACB58DEF6EBF8030CBF1724
