Alexander Kushnirenko <[EMAIL PROTECTED]> writes: [snip]
> 1. Does it have some striking errors? I bet I forgot some service... I prefer to put the denies in /etc/hosts.allow as well; something like: ALL : ALL : DENY at the end, to catch anything not explicitly allowed. I also prefer to use IP addresses instead of names, in case of spoofed DNS names and DNS servers being down, so, for example, I have a line: ALL : 127.0.0.1 192.168.117. : ALLOW > 2. We run xntp3 to set time, but we don't want to be an NTP server. Do one > need to allow some ntp service (NTP protocol is quite sophisticated :( The xntp3 access control configuration is documented in /usr/doc/xntp3/html/accopt.html in the xntp3-doc package. I'm actually using the IP firewall code in Linux 2.2.0-pre5 to provide most of the protection to my system. My ipchains rules are as follows (actually saved in /etc/ipchains.save and read by ipchains-restore in /etc/init.d/network). ----- # Don't accept any incoming packets not explicitly permitted. ipchains -P input DENY # Log any attempts at forwarding. ipchains -P forward DENY ipchains -A forward -j DENY -l # Doesn't matter who we talk _to_. ipchains -P output ALLOW # Keep input rules separate for tidiness. ipchains -N inet_in # Accept anything on loopback interfaces. ipchains -A input -i lo -j ACCEPT ipchains -A input -i dummy0 -j ACCEPT # Check input traffic on PPP links. ipchains -A input -i ppp+ -j inet_in # Accept and log ident lookup connections. ipchains -A inet_in -d 0.0.0.0/0 133:113 -p TCP -j ACCEPT -l -y # Only accept other TCP connections on ports FTP uses (and _not_ X). ipchains -A inet_in -d 0.0.0.0/0 ! 1024:4999 -p TCP -j REJECT -l -y # Accept NTP traffic with truechimer.waikato.ac.nz. ipchains -A inet_in -s 130.217.76.16 123 -d 0.0.0.0/0 123 -p UDP -j ACCEPT # Only accept other UDP traffic on non-privileged ports. ipchains -A inet_in -d 0.0.0.0/0 0:1023 -p UDP -j REJECT -l # Accept other traffic (including ICMP and existing TCP connections). ipchains -A inet_in -j ACCEPT ----- -- Carey Evans http://home.clear.net.nz/pages/c.evans/ Larry froze. Was the bag a trap? He could see the way in, but the other end appeared to be sealed.