Linux-Networking Digest #372, Volume #12 Thu, 26 Aug 99 12:13:32 EDT
Contents:
Re: Firewall Rules ("YouDontKnowWho")
----------------------------------------------------------------------------
From: "YouDontKnowWho" <[EMAIL PROTECTED]>
Subject: Re: Firewall Rules
Date: Thu, 26 Aug 1999 14:59:23 GMT
I went to the site mentioned below (http://rlz.ne.mediaone.net/linux)
and must say it's pretty good. Not only does the author explain
everything crystal clear, he provides two sample firewall scripts that
are about as complete as I've seen. I mean, these things have at
least 75-100 individual rules. One sample uses ipfwadm, the other
ipchains.
For a newbie like me, this is GOLD. In the process of learning about
firewalls, not only did I get good instruction, I had a lot of the
work already done for me.
Having said that, I need to add a couple of things about the scripts:
1. I'm sure this can happen with anything, but I found out that the
scripts are so tight, that if a newsgroup request gets redirected to a
server other than the one you've specified, all packets from the
second server get blocked and you don't really know why. This is not
a bad thing, just something to watch out for.
2. The scripts rely on certain environment variables being set, some
of which I found quite tricky to assign, since my distribution
(Caldera OL 2.2.) doesn't go about starting up the network the way the
author's apparently does. No big deal, though. Even for a scripting
newbie such as myself, it wasn't that difficult.
Overall, this is damn good site and the firewall scripts seem to be
extremely secure and usable basically as they come.
--
Principle of Minimum Access: "That which is not explicitly permitted
is denied."
ANNOUNCER: And now we return to our regularly scheduled, uncommonly
entertaining thread...
Mark Post wrote in message <37c4a609.187676524@news>...
>On Wed, 25 Aug 1999 15:23:48 -0000, "Robert_Glover"
><Please_reply_to@newsgroup> wrote:
>
>-snip-
>>PS. Okay, some of that was touge-in-cheek -- I'm not really that
bad,
>>but I do want to see the "paranoid" rules.
>
>Here's what I created today by using the web-based tool at
>http://rlz.ne.mediaone.net/linux/firewall/index.html
>
>
>#
>#
>---------------------------------------------------------------------
=======
># Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
>#
># Permission to use, copy, modify, and distribute this software and
its
># documentation for educational, research, private and non-profit
purposes,
># without fee, and without a written agreement is hereby granted.
># This software is provided as an example and basis for individual
firewall
># development. This software is provided without warranty.
>#
># Any material furnished by Robert L. Ziegler is furnished on an
># "as is" basis. He makes no warranties of any kind, either
expressed
># or implied as to any matter including, but not limited to,
warranty
># of fitness for a particular purpose, exclusivity or results
obtained
># from use of the material.
>#
>---------------------------------------------------------------------
=======
>#
># /etc/rc.d/rc.firewall
># Invoked from /etc/sysconfig/network-scripts/ifdhcpc-done.
>
>echo "Starting firewalling... "
>
># Some definitions for easy maintenance.
>
>ANYWHERE="any/0"
>
>#
>---------------------------------------------------------------------
=======
># EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
>
>EXTERNAL_INTERFACE="eth0" # whichever you use
>LOCAL_INTERFACE_1="eth1" # whichever you use
>LOCALNET_1="192.168.0.10/24" # whatever private range you use
>
>SMTP_SERVER="any/0" # Your external server. Your relay.
>POP_SERVER="pop.server.com" # Your external server.
>NEWS_SERVER="news.server.com"
>WEB_PROXY_SERVER="proxy.server.com"
>
>NAMESERVER_1="123.456.78.91"
>NAMESERVER_2="123.456.79.91"
>
>#
>---------------------------------------------------------------------
=======
>
>IPADDR="123.45.67.89"
>LOOPBACK_INTERFACE="lo"
>LOOPBACK="127.0.0.0/8"
>CLASS_A="10.0.0.0/8"
>CLASS_B="172.16.0.0/12"
>CLASS_C="192.168.0.0/16"
>MULTICAST="240.0.0.0/3"
>BROADCAST_0="0.0.0.0"
>BROADCAST_1="255.255.255.255"
>PRIVPORTS="0:1023"
>UNPRIVPORTS="1024:65535"
>RESTRICTED_PORTS="2049" # (TCP/UDP) NFS
>RESTRICTED_OPENWINDOWS="2000" # (TCP) openwindows
>OPENWINDOWS_EXCEPTION="my.openwindows.machine"
>
># X Windows port allocation begins at 6000 and increments
># for each additional server running.
>RESTRICTED_XWINDOWS="6000:6001" # (TCP) X windows
>XWINDOWS_EXCEPTION="my.xwindows.machine"
>
># SSH starts at 1023 and works down to 513 for
># each additional simultaneous incoming connection.
>SSH_PORTS="1020:1023" # range for SSH privileged ports
>
>#
>---------------------------------------------------------------------
=======
># Default policy is DENY
># Explicitly accept desired INCOMING & OUTGOING connections
>
> # Remove all existing rules belonging to this filter
> ipchains -F
>
> # Set the default policy of the filter to deny.
> ipchains -P input DENY
> ipchains -P output DENY
> ipchains -P forward DENY
>
>#
>---------------------------------------------------------------------
=======
># Network Ghouls
># Deny access to jerks
>
> # /etc/rc.d/rc.firewall.blocked contains a list of
> # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
> # rules to block from any access.
>
> # Refuse any connection from problem sites
> if [ -f /etc/rc.d/rc.firewall.blocked ]; then
> . /etc/rc.d/rc.firewall.blocked
> fi
>
>#
>---------------------------------------------------------------------
=======
># SPOOFING & BAD ADDRESSES
># Refuse spoofed packets.
># Ignore blatantly illegal source addresses.
># Protect yourself from sending to bad addresses.
>
> # Refuse spoofed packets pretending to be to or from the external
address.
> ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -d $IPADDR -l -j REJECT
>
> # Refuse packets claiming to be to or from a Class A private
network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -l -j
REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -l -j
REJECT
>
> # Refuse packets claiming to be to or from a Class B private
network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -l -j
REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -l -j
REJECT
>
> # Refuse packets claiming to be to or from a Class C private
network
> ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -l -j
REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -l -j
REJECT
>
> # Refuse packets claiming to be to or from the loopback interface
> ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j DENY
> ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -l -j
REJECT
> ipchains -A output -i $EXTERNAL_INTERFACE -d $LOOPBACK -l -j
REJECT
>
> # Refuse broadcast address SOURCE packets
> ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_1 -l -j
DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_0 -l -j
DENY
>
> # Refuse multicast/anycast/broadcast addresses (in.h)
(NET-3-HOWTO)
> ipchains -A input -i $EXTERNAL_INTERFACE -s $MULTICAST -l -j DENY
>
>#
>---------------------------------------------------------------------
=======
># ICMP
>
> # To prevent denial of service attacks based on ICMP bombs,
filter
> # incoming Redirect (5) and outgoing Destination Unreachable
(3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
>
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP
range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3),
Time_Exceeded (11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3),
Time_Exceeded (11)
> # To block this, deny OUTGOING 3 and 11
>
> # 0: Echo_Reply
> # 3: Dest_Unreachable, Network_Unavailable, Service_Unavailable,
etc.
> # 4: Source_Quench
> # 5: Redirect
> # 8: Echo_Request
> # 11: Time_Exceeded
> # 12: Parameter_Problem
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 0 -d $IPADDR -l -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 3 -d $IPADDR -l -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 4 -d $IPADDR -l -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 11 -d $IPADDR -l -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 12 -d $IPADDR -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 3 -d $ANYWHERE -l -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 4 -d $ANYWHERE -l -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 8 -d $ANYWHERE -l -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR 12 -d $ANYWHERE -l -j ACCEPT
>
>#
>---------------------------------------------------------------------
=======
># Disallow certain outgoing traffic to protect yourself from
mistakes.
>
> # openwindows: establishing a connection
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $OPENWINDOWS_EXCEPTION $RESTRICTED_OPENWINDOWS -j
ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $ANYWHERE $RESTRICTED_OPENWINDOWS -j REJECT
>
> # Xwindows: establishing a connection
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $XWINDOWS_EXCEPTION $RESTRICTED_XWINDOWS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $IPADDR \
> -d $ANYWHERE $RESTRICTED_XWINDOWS -j REJECT
>
>#
>---------------------------------------------------------------------
=======
># LOOPBACK
>
> # Unlimited traffic on the loopback interface.
> ipchains -A input -i $LOOPBACK_INTERFACE -l -j ACCEPT
> ipchains -A output -i $LOOPBACK_INTERFACE -l -j ACCEPT
>
>#
>---------------------------------------------------------------------
=======
># NOTE:
># The symbolic names used in /etc/services for the port numbers
vary by
># supplier. Using them is less error prone and more meaningful,
though.
>
>#
>---------------------------------------------------------------------
=======
># TCP UNPRIVILEGED PORTS
># Avoid ports subject to protocol & system administration problems.
>
> # Deny access to the NFS, openwindows and X windows unpriveleged
ports
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $RESTRICTED_PORTS -l -j DENY
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $OPENWINDOWS_EXCEPTION \
> -d $IPADDR $RESTRICTED_OPENWINDOWS -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $RESTRICTED_OPENWINDOWS -l -j DENY
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $XWINDOWS_EXCEPTION \
> -d $IPADDR $RESTRICTED_XWINDOWS -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -d $IPADDR $RESTRICTED_XWINDOWS -l -j DENY
>
> # SOCKS: incoming connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> -s $ANYWHERE \
> -d $IPADDR 1080 -j DENY
>
>#
>---------------------------------------------------------------------
=======
># UDP UNPRIVILEGED PORTS
># Avoid ports subject to protocol & system administration problems.
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -d $IPADDR $RESTRICTED_PORTS -l -j DENY
>
> # UDP INCOMING TRACEROUTE
> # traceroute usually uses -S 32769:65535 -D 33434:33523
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $ANYWHERE 32769:65535 \
> -d $IPADDR 33434:33523 -l -j DENY
>
>#
>---------------------------------------------------------------------
=======
> # DNS client (53)
> # ---------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER_2 53 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_2 53 -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NAMESERVER_2 53 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_2 53 -l -j ACCEPT
>
>#
>---------------------------------------------------------------------
=======
> # TCP accept only on selected ports
> # ---------------------------------
>
# ------------------------------------------------------------------
>
> # SSH server (22)
> # ---------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR 22 -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 22 \
> -d $ANYWHERE $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE $SSH_PORTS \
> -d $IPADDR 22 -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 22 \
> -d $ANYWHERE $SSH_PORTS -l -j ACCEPT
>
> # SSH client (22)
> # ---------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 22 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 22 -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 22 \
> -d $IPADDR $SSH_PORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $SSH_PORTS \
> -d $ANYWHERE 22 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # HTTP client (80)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 80 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 80 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # HTTPS client (443)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 443 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 443 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # WWW-CACHE client ()
> # ----------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $WEB_PROXY_SERVER \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $WEB_PROXY_SERVER -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # POP client (110)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $POP_SERVER 110 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $POP_SERVER 110 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # NNTP NEWS client (119)
> # ----------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NEWS_SERVER 119 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NEWS_SERVER 119 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # FINGER client (79)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 79 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 79 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # AUTH server (113)
> # -----------------
>
> # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE \
> -d $IPADDR 113 -l -j REJECT
>
> # AUTH client (113)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 113 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 113 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # SMTP client (25)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $SMTP_SERVER 25 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $SMTP_SERVER 25 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # SOCKS5 client (1080)
> # --------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 1080 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 1080 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # IRC client (6667)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 6667 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 6667 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # FTP client (20, 21)
> # -------------------
>
> # outgoing request
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 21 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 21 -l -j ACCEPT
>
> # NORMAL mode data channel
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> -s $ANYWHERE 20 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> # NORMAL mode data channel responses
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 20 -l -j ACCEPT
>
> # PASSIVE mode data channel creation
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE $UNPRIVPORTS -l -j ACCEPT
>
> # PASSIVE mode data channel responses
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE $UNPRIVPORTS \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # WHOIS client (43)
> # -----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $ANYWHERE 43 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $ANYWHERE 43 -l -j ACCEPT
>
>#
>---------------------------------------------------------------------
=======
># UDP accept only on selected ports
># ---------------------------------
>
>
# ------------------------------------------------------------------
>
> # NTP TIME clients (123)
> # ----------------------
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s time.server1.com 123 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d time.server1.com 123 -l -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s time.server2.com 123 \
> -d $IPADDR $UNPRIVPORTS -l -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d time.server2.com 123 -l -j ACCEPT
>
>
# ------------------------------------------------------------------
>
> # OUTGOING TRACEROUTE
> # -------------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR 32769:65535 \
> -d $ANYWHERE 33434:33523 -j ACCEPT
>
>#
>---------------------------------------------------------------------
=======
># Unlimited traffic within the local network.
>
> # All internal machines have access to the fireall machine.
>
> ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -l -j
ACCEPT
> ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -l -j
ACCEPT
>
>#
>---------------------------------------------------------------------
=======
># Masquerade internal traffic.
>
> # All internal traffic is masqueraded externally.
>
> ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ
>
>
>#
>---------------------------------------------------------------------
=======
># Enable logging for selected denied packets
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -d $IPADDR -l -j
DENY
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
$PRIVPORTS
>-l -j DENY
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp -d $IPADDR
$UNPRIVPORTS
>-l -j DENY
>
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 5 -d $IPADDR -l -j DENY
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> -s $ANYWHERE 13:18 -d $IPADDR -l -j DENY
>
>#
>---------------------------------------------------------------------
=======
>
>echo "done"
>
>exit 0
>
>#
>---------------------------------------------------------------------
=======
># NOTE for DHCP users:
>#
># The following is an example
>"/etc/sysconfig/network-scripts/ifdhcpc-done".
># DHCP clients through at least version "dhcpcd-0.70-2" used the
"-c"
># mechanism to specify a program to execute whenever dhcpcd
successfully
># received an IP address.
>#
># As presented, the example "ifdhcpc-done" updates your host IP
address in
># /etc/hosts and updates the NAMESERVER definitions in the hostinfo
file.
>#
>#-------------------------------- CUT
HERE ---------------------------
>#!/bin/sh -x
>
># Get the pid of the process which is waiting for this to complete.
># If the wait file doesn't exist, either the parent timed out, or
># the dhcp server is issuing a new IP address.
>
>SLEEPPIDFILE=/var/run/dhcp-wait-${IFNAME}.pid
>
>if [ -f $SLEEPPIDFILE ]; then
> SLEEPPID=`cat $SLEEPPIDFILE`
> rm -f $SLEEPPIDFILE
> kill $SLEEPPID
>else
> echo "DHCP is configured, but ifup may have timed out." >
/dev/console
>fi
>
>#--------------------------------------------------------------------
-
># RedHat Versions thru 5.2 use /etc/dhcpc/hostinfo-eth0
># Future releases (RedHat development releases) use
>/etc/dhcpc/dhcpcd-eth0.info
>
>if [ -f /etc/dhcpc/hostinfo-eth0 ]; then
> hostinfo="/etc/dhcpc/hostinfo-eth0"
>elif [ -f /etc/dhcpc/dhcpcd-eth0.info ]; then
> hostinfo="/etc/dhcpc/dhcpcd-eth0.info"
>else
> echo "DHCP is configured, but ifup may have timed out." >
/dev/console
> exit 1
>fi
>
># get the hostinfo
>. $hostinfo
>
># Update domainname
>domain=`fgrep domain /etc/dhcpc/resolv.conf | sed -e "s/domain //"`
>domainname $domain
>
># Update /etc/hosts
># Some services will break without this, unless you use localhost
(eg. pop)
>
>sed -e "s/^.*YOU/$IPADDR YOU.$domain YOU/" /etc/hosts >
>/var/tmp/hosts
>cp /var/tmp/hosts /etc/hosts
>rm /var/tmp/hosts
>
>#--------------------------------------------------------------------
-
># Update $hostinfo with the current nameservers from
/etc/resolv.conf.
># Thanks to Roger Goun for the idea of appending these to $hostinfo
and
># getting rid of the temporary file.
>
>let cnt=1
>fgrep nameserver /etc/dhcpc/resolv.conf | sed -e "s/nameserver //" |
> while read naddr
> do
> echo NAMESERVER_$cnt="$naddr" >> $hostinfo
> let cnt=$cnt+1
> done
>
>#--------------------------------------------------------------------
-
>
>cp /etc/dhcpc/resolv.conf /etc
>
>sh /etc/rc.d/rc.firewall
>echo "Firewalling enabled." > /dev/console
>
>To send me email, replace 'nospam' with 'home'.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.networking) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Networking Digest
******************************
