Actually, yes. There's a whole bunch I left out of a much larger IPChains
ruleset, including a beginning global DENY. But at the very end of the
chain you have to reset the default policies for input and output to ACCEPT
(forward you can leave as default DENY). I've tried it with a default DENY
and haven't gotten it to work (and nothing I've read seems to indicate it
will). That's why I allow specific traffic and then make sure I have a
DENY at the end of each chain (and then pray I diagrammed everything
correctly....).
Obviously what I've done isn't the only way to do this. It's just the best
I've come up with to date (and it works pretty well here in my test
environment, although I haven't beaten on it in any really sophisticated
manner). If you can come up with a forwarding scheme which is demonstrated
to work with a default DENY then I, and probably a bunch of other people,
would love to hear about it.
At 12:11 PM 11/7/2000 -0600, Tomas Huynh wrote:
> ->
> -> I've also got rules on defender which allow specific traffic to it,
> with a
> -> big DENY at the end. The default input and output policies will have
> to be
> -> ACCEPT or the whole deal is off.
> ->
>
>Isn't it generally a good idea to first DENY everything, and then
>allow only the traffic you want to come in/out/forward...
>ie... as the start:
> /sbin/ipchains -P forward -j DENY
> /sbin/ipchains -P input -j DENY
> /sbin/ipchains -P output -j REJECT
>
>Then, the rest of "ACCEPT" rule sets.
>
>
>Regards,
>-t
--
Eric N. Valor
[EMAIL PROTECTED]
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]
- This Space Intentionally Left Blank -
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
