ipchains - sorry to flog this horse

[Craig White]

> -----Original Message-----
> From: plug-discuss-admin@lists.plug.phoenix.az.us
> [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of
> sinck@corp.quepasa.com
> Sent: Friday, March 31, 2000 10:42 AM
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: ipchains - sorry to flog this horse
>
>
>
>
> \_ thinking that this discussion might be of interest to others
> and not wanting
> \_ to abuse Mike Sheldon or Jean Francois...but I am feeling like
> by installing
> \_ linux systems on the internet, I am lobbing up softballs for
> weak hitters to
> \_ hit out of the park.
> \_
> \_ 1 - if I create a chain ruleset
> \_
> \_     default policy deny
> \_     accept TCP/UDP port 25, 110, 80
> \_     reject TCP/UDP ports 1:1024
> \_
> \_     does this adequately protect all but mail & www from things
> \_     like BIND & FTP exploitation attacks?
>
> I'm pretty sure you're gonna want 53 in there... otherwise it'll be
> harder to resolve hostnames.
>
> If you're using mysql, add tcp 3306 -y -j REJECT to keep it happy.
>
> If you're using X, add 6000:6009 -y -j REJECT and 7100 -y -j REJECT to
> keep the Xsessions highly protected as well as the font server.
>
> I like reject better because I think that makes attempts "go away"
> faster.  But I'd be more than willing to change my opinion if someone
> *knows*.  :-)
>
> David
---
thanks David

I am only supplying DNS to the internal network so I can block port 53 on
the external interface without issue I think. I should have specified that
the rules that I was discussing were for the external interface.

and the little bit I have learned about the difference between DENY & REJECT
is that REJECT will end the discussion because it sends a message back but
DENY makes it look dumb and disguises the nature of services running. As I
wrote to Mike, the amount that I have learned thus far has taught me that I
know far too little so I am guilty of using this message board to further my
understanding.

Thanks

Craig