hi andrew... imap connections will not timeout if you check for new mail regularly...
for more ipchain/iptables examples and howtos.. c ya alvin http://www.Linux-Sec.net ... security stuff .. On Sun, 27 May 2001, Andrew Perrin wrote: > Thanks for all this. The reason I'd like the masqueraded connections never > to time out is that I'd like machines on my private network to be able to > maintain connections indefinitely - specifically, IMAP connections. I'd > like to be able to leave an IMAP client running on a machine and not get > TCP/IP Port Reset errors on it. > > Andy > > ---------------------------------------------------------------------- > Andrew J Perrin - [EMAIL PROTECTED] - http://www.unc.edu/~aperrin > Asst Professor of Sociology, U of North Carolina, Chapel Hill > 269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA > > > On Mon, 28 May 2001, Tobias Galitzien wrote: > > > Do something like: > > > > # for initialisation - deny everything that will not be allowed later... > > > > ipchains -P input DENY > > ipchains -P forward DENY > > ipchains -P output DENY > > ipchains -F > > > > # allow local things > > > > ipchains -A input -j ACCEPT -i lo > > ipchains -A output -j ACCEPT -i lo > > > > # allow SSH connections from eth1 (and reply packets) > > > > ipchains -A input -j ACCEPT -p tcp -i eth1 -s 0.0.0.0/0 1024: -d <IP of > > eth1> 22 > > ipchains -A output -j ACCEPT -p tcp -i eth1 -d 0.0.0.0/0 1024: -s <IP of > > eth1> 22 > > > > AFAIR you don't have to worry about response packets from masqueraded > > connections. They will bypass the input and output chains. > > > > For the timeout of masquerading see the -S option of ipchains. I think it is > > not the best idea to make connections never time out (quite sure it is not > > even possible) because you will eventually run out of port numbers. Just set > > it to a reasonable high value - like one hour - don't know what the max is. > >