Robin-Vinet Mathieu wrote: > Hi, > > > > > > > Brian and Henk, i think you make the point. > > > Even with iptables loading the inactive ruleset, i've got all ports > > > opened. > > > > > > I don't understand why you are speaking of "inetd" ? > > > Cause i've got inetd running on the machine... > > > > Well, check /etc/inetd.conf and make sure that things are not not > > accidently serviced by inetd. Otherwise when you flush the rules or > > when you haven't got a default DROP policy, certain ports will still be > > reported as open. > > So if i understand well, you suggest me to put those line at the top of > my Iptable script cause it seems to be safer, by default it DROP packets > except when i have defined specific rules wich is my case : > > IPTABLES -P INPUT DROP > IPTABLES -P FORWARD DROP > IPTABLES -P OUTPUT DROP
Yes, after that you could open upen up what you need to accept in and out on the box's interfaces (don't forget localhost) and what traffic you need to forward and append a final DROP as a catch-all to the input, output and forward chains. You'll have a pretty tight setup. > I've read that with a default DROP policy, i must specifically define > ACCEPT rules when flushing with -F, this, not to be locked out of my > system. Correct, but that's easy to script. > > > Did i miss something somewhere ? > > > > Don't know, better check to be sure. Just do a 'grep -v ^# /etc/inetd.conf' > > to see what's enabled. > > It's ok, i Just have ssh, smtp and ftp like i did the setup ! All right. > Thanks. > Mathieu. Good luck. Henk -- Henk Roose <[EMAIL PROTECTED]> CWI - Centrum voor Wiskunde en Informatica Centre for Mathematics and Computer Science Amsterdam (NL) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
