Terry: Thanks for the offer. I'd be very interested in seeing this script file. I got myself mightily confused Monday night during the discussion of ipchains. I have a feeling that if I set up an ipchains firewall based on my notes from Monday, it would probably have some sort of matter/anti-matter explosion.
So, if you could post it, that would give some of us a chance to learn a little about ipchains before next month's firewall meeting. best regards, Mike -----Original Message----- From: Terry Stockdale [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 06, 2001 9:03 PM To: [EMAIL PROTECTED] Subject: [brluglist] ipchains ruleset If anyone is interested, I'm willing to post or share my ipchains script file. It's mostly commented. I set it up to run from /etc/rc.d/rc3.d and also to kick off hourly from my crontab. There are probably 150 or so rules. I used MASQ to forward from my internal net through the cable modem. The firewall machine was the only one with a real IP address, and it was locked pretty tight from the internet side. Occasionally, I would want to ncftp from the firewall to the Internet, so I'd open a port or two. That's the reason for the crontab entry. Almost all rules keyed to which interface was involved. Most rules used $variables for names and numbers, so I had a configuration section at the beginning. At one time, pre-cable modem, I played ifconfig games to determine the IP address on the dynamic dialup, so that code is still there but commented. I also put in some code, untested as I never got around to playing with it, for a DMZ. I tended to log stuff unless it was just swamping the log files. I also structured it to block a lot of invalid stuff coming in, and to block private networks both inbound and outboud. As I recall, detailed working examples are hard to come by -- something about the keys to the kingdom. I've moved to a Linksys cablemodem/dsl router, so the Linux firewall is no longer (for now, at least). I used these rules, with a few updates, for a couple of years. Let me know. Terry -- Terry Stockdale -- [EMAIL PROTECTED] -- Baton Rouge, LA website: http://www.dadstoy.net PalmOS(R) Apps: http://www.dragonlode.com ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================ ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
