On Wed, 16 Nov 2005 20:22:24 +0100 (CET) "Barbara M." <[EMAIL PROTECTED]> wrote:
> > 4. Put iptables. > > For what I know, the box have only port 80, 443, 21 forwarded from the > firewall ... > Still useful iptables? If your apache don't need access to other webservers/IPs/whatever, you can try this: iptables -N httpdout iptables -A httpdout -o lo -j ACCEPT iptables -A httpdout -m state --state ESTABLISHED -j ACCEPT iptables -A httpdout -p udp --dport 53 -j ACCEPT iptables -A httpdout -p tcp -j REJECT --reject-with tcp-reset iptables -A httpdout -p udp -j REJECT iptables -A httpdout -j DROP iptables -A OUTPUT -m owner --uid-owner httpd -j httpdout This would prevent apache to access any other service than dns. With modifications also good for securing every other daemon that runs non-root cheers Olaf _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
