On Mon, Mar 26, 2001 at 04:27:00PM -0900, Ethan Benson wrote: > On Mon, Mar 26, 2001 at 08:01:34PM +0200, Alson van der Meulen wrote: > > > It accepts all other traffic to non-privileged ports. i prefer to > > allow traffic without the syn flag (not initiating a new connection) > > only, not all misc traffic, it's more secure, the way to do it is > > like: > > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p tcp ! -y -j ACCEPT > > ipchains -A input -s 0/0 -d 0/0 1024:65535 -p udp ! -y -j ACCEPT this line is wrong indeed, for udp, remove the ! -y option > > > > unfortuantly this breaks irc, ftp and many other things. ftp: use passive ftp, active ftp isn't secure with ipchains, netfilter can handle it better
for irc: i never had problems with it, just accept ident lookups and all outgoing stuff protocols that require incoming connections are lame anyway -- ,-------------------------------------------. > Name: Alson van der Meulen < > Personal: [EMAIL PROTECTED] < > School: [EMAIL PROTECTED] < `-------------------------------------------' Do you really need your home directory to do any work? ---------------------------------------------
