Tyler:
I think most people on the list would recommend a drop all
Policy on all chains, and then open up what is required to achieve
your goals. After all the whole purpose of a firewall is to give your
system as much as possible.
Ramin:
My version of the syn rule allows 5/s and I think a burst of
10 or 20. I didn't check the burst limit. Does that sound reasonable?
Stu...........
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Tyler Kemp
Sent: May 9, 2002 3:52 PM
To: Ramin Alidousti
Cc: [EMAIL PROTECTED]
Subject: RE: (no subject)
>>
>> #setup NAT
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>>
>>
>> #forward chain
>>
>> #syn flood limiting
>> iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
>> iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit
>> 1/s -j ACCEPT
>>
>>
>> #enable ip forwarding
>> echo 1 > /proc/sys/net/ipv4/ip_forward
> This is the relevant portion. Except for the fact that the limits
> are too tight everything else looks good. What is the default
> policy of the FORWARD chain?
> Ramin
I have no default policy for FORWARD. The friend from whom I recieved these
rulesets informs me it isn't needed. He uses a carbon copy of the same
rules, with no problems.
Tyler
