My setup is I have my eth0 connected to cable modem and I have a dns, smtp, pop3 and a http server running inside the network.
Thank you Abjin Ray Olszewski wrote: > I prefer keeping these discussions on the list, so I've added leaf-user > back in. > > The first general ACCEPT line you previously asked about is at the end of > the input chain. It appears three rules below this rule: > > 0 0 DENY all ----l- 0xFF > 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a > > which has the effect of DENYing all packets from the external interface > (eth0) that were not handled by some prior rule. So the general ACCEPT line > will only apply to packets coming from internal interfaces and should > present no problem. > > Someone else will have to tell you why the default is to ACCEPT ospf > packets; that I do not know. > > The second general ACCEPT, the one on the output chain, also follows a > bunch of specific rules that should block all the departing packets you > want to block. There may be a specific problem with some prior rule -- I > didn't read through the ruleset that carefully -- but the closing ACCEPT > rule applies only to packets that have run past these specific screens. > > More specific help would require my knowing more about your setup. I've > responded based on your having a single external interface and a single > internal interface. From the forward chain, it appears that you might be > running a third interface and a DMZ, providing http and DNS services to > offsite hosts and/or the LAN (and maybe POP3 to LAN hosts? but not an SMTP > server?). The rules look OK for that, though the input chain could be a bit > tighter (ACCEPT'ing only reply packets to the 1024:65535 ports ... though > the real risk here is modest at worst). > > > > -- > -----------------------------------------------"Never tell me the > odds!"-------------- > Ray Olszewski -- Han Solo > Palo Alto, California, USA [EMAIL PROTECTED] > >------------------------------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek No, I will not fix your computer. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
