> >Sorry, no I don't think so. If you set input to DENY, then input is
> >DENIED. No rule you put after that makes any difference. Read the fine
> >man page. man ipchains is pretty good. What I said was, if you don't
> >specify an interface, the rule applies to any and all interfaces. DENY
> >is final. That is the last you will hear from that packet.
( for some reason I didn't see the above reply ) but to answer it yes I have
read the man page several times..
> Depends on what the original poster means by "set". If he means set the
> default policy to DENY ... the default policy gets checked only *after*
all
> the specific rules get run, so he can easily open specific sources,
> destinations, ports, or whatever with specific rules. If, on the other
hand,
> he begins with a broad DENY *rule* (as distinct from a DENY *policy*),
that
> rule will be at the top of the ruleset (unless he explicitly inserts it
> elsewhere) and will block all traffic before it gets to the rest of the
rules.
Everything I have read suggest setting "ipchains -P input DENY" and then
placing (Holes) in the ruleset for services that I wish to allow, this makes
sense.. I currently have my Linux machines behind an NT proxy which
is protected by Conseal firewall, I get a perfect score of 0 from DSL
reports
and all of my Linux machines are able to access the the internet, I would
like to replace my NT machine with a Linux box but I think I'll wait until
I have DSL access before making the switch.
> So ... the problem here is an ambiguity in the original question.
>
> The actual problem that started this ... setting up rules specific to the
> ppp interface ... remains, and for some rules (anti-spoofing is the
obvious
> example) there are good reasons to make them interface specific. I'll try
> later to come up with a suggestion for that part ... that one isn't a
> top-of-my-head solution, though I'm pretty sure there is one.
Yes this was the original question and ( anti-spoofing ) was the main reason
I wanted to be able to define the interface, and the tools I have for
building
rulesets all ask for an interface and warn against using the ANY interface
option because of possible spoofing attacks..
Thanks Again!
Scott Faulkner
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
