On Thu, Jun 28, 2001 at 12:17:32PM +0200, Michael Wood wrote: > Hi > > On Thu, Jun 28, 2001 at 12:02:44PM +0200, Raffael Ferenc wrote: > > On Thu, Jun 28, 2001 at 08:50:49AM +0200, Michael Wood wrote: > > > [snip] > > > e.g. Assuming you're using kernel 2.2.x here's a very simple and > > > very open firewall configuration: > > > > > > # define constants > > > ABUSER=192.168.0.123/32 > > > MAILSERVER=10.0.0.1/32 > > > > > > # set the default policy > > > ipchains -P input ACCEPT > > > ipchains -P forward ACCEPT > > > ipchains -P output ACCEPT > > > > I suggest ACCEPT as the default policy may become extremely > > dangerous if the firewall script doesn't run completely. I'd > > say that default policy should be DENY or REJECT, and the > [...] > > Well, as I said, they guy has a router with NO firewalling at > the moment, so this script was just "a very simple and very > open" firewall script. i.e. it's not really meant to do > anything other than stop one person from using anything other > than e-mail as long as they don't change their IP address or > something. > > Your point about leaving the firewall completely open if the > script doesn't finish is a good one. (It would be nonsense if > the policy was DENY or REJECT, though :) > > I would normally recommend that the policy be DENY or REJECT, > but in this case it's much easier to leave it as ACCEPT and add > a rule or two to block the abuser than try to find out exactly > all the protocols that need to be allowed and allow them all > individually or get him to install proxies for everything. > > So, if the default policy is going to be ACCEPT, I suppose you > should do this: > > Set policy to DENY > Clear old rules > Delete old chains > Set up rules you want > Set policy to ACCEPT > > If the policy is going to be DENY (or REJECT) just leave out the > last bit (i.e. don't set policy to ACCEPT.) > > This way, if the script doesn't finish, the default will be > DENY. > > [...] > > following few lines should be placed before the default > > policies. > > > > > # clear old rules > > > ipchains -F > > > ipchains -X > [snip] > > No, unless your policy is ACCEPT. > > If your policy is going to be DENY (but isn't yet) and you clear > all the rules, you have a completely open firewall until you do > set the policy, so there's a small window when you don't have a > firewall (unless you never run the script with the interfaces > already up.) > > > Just another remark: there's a -l option in ipchains. It is a > > good idea to log specific attempts (unprivport attacks). This > > would look like this: > > > > ipchains -A input -p tcp -s any/0 1024:65535 -d $YOURSERVER 1024:65535 -j > > DENY -l > > True. But if you want to monitor things like this you'll most > likely want a much better firewall script than the one I > suggested :)
That's correct :) But we have to tell the best ideas we have to help others building a "good" firewall.
