TLUG Mailing List

Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Firewall setting

To: tlug@example.com

Subject: Re: Firewall setting

From: Jonathan Q <jq@example.com>

Date: Tue, 1 May 2001 05:23:50 +0900

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset=us-ascii

In-Reply-To: <20010501032652.E16433@example.com>; from jq@example.com on Tue, May 01, 2001 at 03:26:52AM +0900

References: <20010501032652.E16433@example.com>

Reply-To: tlug@example.com

Resent-From: tlug@example.com

Resent-Message-ID: <tpL0KD.A.MEG.4oc76@example.com>

Resent-Sender: tlug-request@example.com
P.S.  This is my /etc/sysconfig/ipchains:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT

The first rule allows tcp port 25 (smtp)
The second allows tcp port 22 (ssh)
The third probably allows everything on loopback (just a guess,
I haven't read the docs myself).
4 rejects everything <1023 tcp
5 rejects 2049 tcp
6 rejects everything <1023 udp
7 rejects 2049 udp
8 rejects 6000-6009 tcp (X uses these ports)
9 rejects 7100 tcp (don't know what that is offhand).

This is the medium security firewalling in Red
Hat 7.1, plus my customizations to allow 25 and 22.

These rules operate on a first-match-exits principal,
so if an ssh connection comes in, all rules after 
the second one will not be processed.  If an http
connection comes in, it will get as far as rule 4, 
which will match it as a reject (80 tcp).  

Ordering is important; if the rules allowing 22 and 25
were positioned after rule 4, 22 and 25 would still
be filtered because the rejectino of 0-10323 tcp would
come first, 22 and 25 would match, and rule processing
would exit.

So if you write your own, the quick and dirty is to put
your accepts first.  If you anticpate most of your
traffic to be port 80 tcp (http), put that one ahead of
port 22.  You should be able to just copy the rule
allowing 22 or 25 in the ruleset above and change the 
port to 80 if you want to allow http connections to your
box.  But do read the docs anyway, and don't believe anything
I've said here until you've verified it :-)

Jonathan
References:

Re: Firewall setting
From: Jonathan Q <jq@example.com>

Prev by Date: Re: Firewall setting

Next by Date: RE: Firewall setting

Prev by thread: Re: Firewall setting

Next by thread: RE: Firewall setting

Index(es):

Date

Thread

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links