> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE
> $UNPRIVPORTS -d $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22
> -d $ANYWHERE $UNPRIVPORTS -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE $SSH_PORTS
> -d $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $ANYWHERE 22
> -d $ANYWHERE $SSH_PORTS -j ACCEPT
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -s $ANYWHERE 22 -j ACCEPT
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -d $ANYWHERE 22 -j ACCEPT
>
> Unde:
> ANYWHERE="any/0"
> PRIVPORTS="0:1023"
> UNPRIVPORTS="1024:65535"
> SSH_PORTS="1022:1023"
>
> Puteti sa-mi ziceti si mie unde-i baiu' ca mie mi se par corecte
> regulile pt server.
> Thx!
>
si daca incearca un om care sta in spatele unui router care face MASQ de
pe un port != 1022 && != 1023 ce faci? btw, eu am prostul obicei de a da
ca optiune la ssh un "-v", si am vazut ca mai baga la "Allocated local
port" si 1018, si 1019.
plus ca daca ai reguli bune pe input, nu cred ca e neaparat necesar sa mai
pui reguli si pe output. si daca vrei sa te prinzi care-i gluma si unde se
agata ssh'u, baga un -l in coada la toate regulile de mai sus si stai cu
/var/log/messages in fata, ca nu-ti strica.
Camelia
---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to
unsubscribe from this list.
