I prefer keeping these discussions on the list, so I've added leaf-user
back in.
The first general ACCEPT line you previously asked about is at the end of
the input chain. It appears three rules below this rule:
0 0 DENY all ----l- 0xFF
0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a
which has the effect of DENYing all packets from the external interface
(eth0) that were not handled by some prior rule. So the general ACCEPT line
will only apply to packets coming from internal interfaces and should
present no problem.
Someone else will have to tell you why the default is to ACCEPT ospf
packets; that I do not know.
The second general ACCEPT, the one on the output chain, also follows a
bunch of specific rules that should block all the departing packets you
want to block. There may be a specific problem with some prior rule -- I
didn't read through the ruleset that carefully -- but the closing ACCEPT
rule applies only to packets that have run past these specific screens.
More specific help would require my knowing more about your setup. I've
responded based on your having a single external interface and a single
internal interface. From the forward chain, it appears that you might be
running a third interface and a DMZ, providing http and DNS services to
offsite hosts and/or the LAN (and maybe POP3 to LAN hosts? but not an SMTP
server?). The rules look OK for that, though the input chain could be a bit
tighter (ACCEPT'ing only reply packets to the 1024:65535 ports ... though
the real risk here is modest at worst).
At 09:40 PM 6/28/02 -0600, Abjin M H wrote:
>Thanks Ray, Here is my out put from the command ipchains -nvL. I am using
>DachsteinCD-V-1.2.0
>I was mentioning about
>
> 0 0 ACCEPT ospf ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
> n/a
>
> 0 0 ACCEPT all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
> n/a
>
> 0 0 ACCEPT all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
> n/a
>
>Is it ok to have these three lines. If you would like to see my
>network.conf I can sent it.
>Thanks for any help
>
>Abjin
>
>Chain input (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa
> tosx ifname mark outsize source destination
>ports
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>5 -> *
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>13 -> *
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>14 -> *
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 0.0.0.0 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 255.255.255.255 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 127.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 224.0.0.0/4 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 10.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 172.16.0.0/12 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 192.168.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 0.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 128.0.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 191.255.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 192.0.0.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 223.255.255.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 240.0.0.0/4 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 192.168.1.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 24.72.35.91 0.0.0.0/0
>n/a
> 0 0 REJECT all ----l- 0xFF
> 0x00 eth0 0.0.0.0/0 127.0.0.0/8
>n/a
> 0 0 REJECT all ----l- 0xFF
> 0x00 eth0 0.0.0.0/0 192.168.1.0/24
>n/a
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 137
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 135
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 137
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 135
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 138:139
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 138
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>137:138 -> *
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>135 -> *
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>137:139 -> *
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>135 -> *
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 80
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 53
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 113
> 0 0 ACCEPT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 1024:65535
> 0 0 REJECT udp ----l- 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 161:162
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 53
> 0 0 DENY udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 67
> 0 0 ACCEPT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 1024:65535
> 0 0 ACCEPT icmp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> *
> 0 0 ACCEPT ospf ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>n/a
> 0 0 REJECT udp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>* -> 161:162
> 0 0 REJECT udp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>161:162 -> *
> 0 0 ACCEPT all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>n/a
>Chain forward (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa
> tosx ifname mark outsize source destination
>ports
> 0 0 DENY icmp ----l- 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>5 -> *
> 0 0 MASQ udp ------ 0xFF
> 0x00 * 192.168.1.2 0.0.0.0/0
>53 -> *
> 0 0 MASQ tcp ------ 0xFF
> 0x00 * 192.168.1.5 0.0.0.0/0
>80 -> *
> 0 0 MASQ tcp ------ 0xFF
> 0x00 * 192.168.1.5 0.0.0.0/0
>110 -> *
> 0 0 MASQ all ------ 0xFF
> 0x00 eth0 192.168.1.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>n/a
>Chain output (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa
> tosx ifname mark outsize source destination
>ports
> 0 0 fairq all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 0.0.0.0 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 255.255.255.255 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 127.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 224.0.0.0/4 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 10.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 172.16.0.0/12 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 192.168.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 0.0.0.0/8 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 128.0.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 191.255.0.0/16 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 192.0.0.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 223.255.255.0/24 0.0.0.0/0
>n/a
> 0 0 DENY all ----l- 0xFF
> 0x00 eth0 240.0.0.0/4 0.0.0.0/0
>n/a
> 0 0 DENY all ------ 0xFF
> 0x00 eth0 192.168.1.0/24 0.0.0.0/0
>n/a
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 137
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 135
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 137
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 135
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 138:139
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>* -> 138
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>137:138 -> *
> 0 0 REJECT udp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>135 -> *
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>137:139 -> *
> 0 0 REJECT tcp ------ 0xFF
> 0x00 eth0 0.0.0.0/0 0.0.0.0/0
>135 -> *
> 0 0 ACCEPT all ------ 0xFF
> 0x00 * 0.0.0.0/0 0.0.0.0/0
>n/a
>Chain fairq (1 references):
> pkts bytes target prot opt tosa
> tosx ifname mark outsize source destination
>ports
> 0 0 RETURN ospf ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 n/a
> 0 0 RETURN ospf ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 n/a
> 0 0 RETURN udp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 * -> 520
> 0 0 RETURN udp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 520 -> *
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 * -> 179
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 179 -> *
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 * -> 53
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 53 -> *
> 0 0 RETURN udp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 * -> 53
> 0 0 RETURN udp ------ 0xFF
> 0x00 * 0x1 0.0.0.0/0
>0.0.0.0/0 53 -> *
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x2 0.0.0.0/0
>0.0.0.0/0 * -> 23
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x2 0.0.0.0/0
>0.0.0.0/0 23 -> *
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x2 0.0.0.0/0
>0.0.0.0/0 * -> 22
> 0 0 RETURN tcp ------ 0xFF
> 0x00 * 0x2 0.0.0.0/0
>0.0.0.0/0 22 -> *
>
>Ray Olszewski wrote:
[old stuff deleted]
--
-----------------------------------------------"Never tell me the
odds!"--------------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
No, I will not fix your computer.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
