ipchains - sorry to flog this horse

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: der.hansPLUGd@LuftHans.com
Date:  
Subject: ipchains - sorry to flog this horse
On Fri, 31 Mar 2000 wrote:

>
>
> \_ thinking that this discussion might be of interest to others and not wanting
> \_ to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
> \_ linux systems on the internet, I am lobbing up softballs for weak hitters to
> \_ hit out of the park.
> \_ 
> \_ 1 - if I create a chain ruleset
> \_ 
> \_     default policy deny
> \_     accept TCP/UDP port 25, 110, 80


Port 25 should be accept tcp from port 25 and port >1024. Actually, are
reserved ports 0-1023 or 1-1024? Greater to than the upper end of whatever
the correct range is :).

Pop uses udp? In any case, I believe only unpriviledged port clients will
be connecting to it, e.g. only coming from >1024.

For http there should only be tcp requests from >1024.

> \_     reject TCP/UDP ports 1:1024
> \_ 
> \_     does this adequately protect all but mail & www from things
> \_     like BIND & FTP exploitation attacks?

>
> I'm pretty sure you're gonna want 53 in there... otherwise it'll be
> harder to resolve hostnames.


For dns requests from outside world:

allow udp/tcp from 53 and >1024
allow to udp/tcp 53

Replace 1024 with 1023 as appropriate if the range turns out to be 0-1023
:).

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#                    www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#         Science is magic explained. - der.hans          #
# ===========+++++++++++++++++++++++++++++++++=========== #