ipchains - sorry to flog this horse
der.hans
PLUGd@LuftHans.com
Sat, 1 Apr 2000 01:14:45 -0700 (MST)
On Fri, 31 Mar 2000 sinck@corp.quepasa.com wrote:
>
>
> \_ thinking that this discussion might be of interest to others and not wanting
> \_ to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
> \_ linux systems on the internet, I am lobbing up softballs for weak hitters to
> \_ hit out of the park.
> \_
> \_ 1 - if I create a chain ruleset
> \_
> \_ default policy deny
> \_ accept TCP/UDP port 25, 110, 80
Port 25 should be accept tcp from port 25 and port >1024. Actually, are
reserved ports 0-1023 or 1-1024? Greater to than the upper end of whatever
the correct range is :).
Pop uses udp? In any case, I believe only unpriviledged port clients will
be connecting to it, e.g. only coming from >1024.
For http there should only be tcp requests from >1024.
> \_ reject TCP/UDP ports 1:1024
> \_
> \_ does this adequately protect all but mail & www from things
> \_ like BIND & FTP exploitation attacks?
>
> I'm pretty sure you're gonna want 53 in there... otherwise it'll be
> harder to resolve hostnames.
For dns requests from outside world:
allow udp/tcp from 53 and >1024
allow to udp/tcp 53
Replace 1024 with 1023 as appropriate if the range turns out to be 0-1023
:).
ciao,
der.hans
--
# +++++++++++=================================+++++++++++ #
# der.hans@LuftHans.com www.excelco.com #
# http://home.pages.de/~lufthans/ #
# Science is magic explained. - der.hans #
# ===========+++++++++++++++++++++++++++++++++=========== #