On Fri, 31 Mar 2000, Craig White wrote:

> thinking that this discussion might be of interest to others and not wanting
> to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
> linux systems on the internet, I am lobbing up softballs for weak hitters to
> hit out of the park.
> 
> 1 - if I create a chain ruleset
> 
>     default policy deny
>     accept TCP/UDP port 25, 110, 80
>     reject TCP/UDP ports 1:1024

You could specifically block incoming TCP connections above 1024 as well.

Also, the ipchains HOWTO suggests blocking one of the icmp types. Type 5,
I believe...

>     does this adequately protect all but mail & www from things
>     like BIND & FTP exploitation attacks?
> 
> 2 - does it then make sense to use tcpd to protect the exposed services?

I think so. If your chains get screwed up you still have other mechanisms
to keep you safe. I don't like trusting only one mechanism, especially on
a firewall. I also comment out all services in /etc/inetd.conf as well as
disabling inetd just in case it gets turned on again.

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#             I've got a photographic memory,             #
#         but I'm lousy photographer. - der.hans          #
# ===========+++++++++++++++++++++++++++++++++=========== #