On 2007-10-27 Pascal Hambourg wrote: > Ansgar -59cobalt- Wiechers a écrit : >> On 2007-10-24 Yuri Rodrigues wrote: >>> I usually browse the Internet, get ssh servers for my network and >>> get my ssh server when I am in a remote location. But can not access >>> servers ssh from my server firewall. Somebody help me with that >>> firewall? > [...] >> Ouch. *Never* flush the chains before setting the default policies. >> Also *never* enable IP forwarding before setting the default >> policies. > > I guess you mean "before setting default policies to DROP".
Yes. [...] >> $iptables -t filter -P INPUT DROP >> $iptables -t filter -P OUTPUT DROP >> $iptables -t filter -P FORWARD DROP >> >> $iptables -t nat -P PREROUTING ACCEPT >> $iptables -t nat -P POSTROUTING ACCEPT >> >> $iptables -t mangle -P PREROUTING ACCEPT >> $iptables -t mangle -P POSTROUTING ACCEPT > > What about the other chains in the nat and mangle tables ? I was being lazy here. [...] >> $iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT [...] > Don't you forget to accept RELATED,ESTABLISHED traffic in OUTPUT and > FORWARD and outgoing traffic on the loopback interface ? Yes, as I already mentioned in a later reply. [...] >>> #### Protecao contra ping flood #### >>> $iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT >>> echo "Protecao contra ping flood ......................... [ Ok ]" >> >> A limit rule does not protect against ping floods. "ping flood" means >> that the attacker is sending so much echo-requrests that they consume >> your entire bandwidth. There's exactly nothing you can do on your >> firewall to protect you from that. > > Except when you're on a link with asymmetric up/down bandwith such as > ADSL. If you're on a 128/512 kbit/s link, a 128 kbit/s flood ping is > not enough to fill your dowstream but enough to fill your upstream. By > limiting the incoming echo request (and *not any* ICMP type) rate, you > can limit the outgoing echo reply rate and avoid consume all your > upstream bandwidth. A valid point, though probably somewhat theoretical. How often does a situation where a flood doesn't consume the entire downstream bandwidth really occur? Please note that I'm not objecting to rate-limiting incoming ICMP packets (on the contrary). I'm merely saying that unlike limiting incoming syn packets it won't protect from floods. At least in most cases. Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
