ipchains - sorry to flog this horse

Craig White CraigWhite@AzApple.com
Fri, 31 Mar 2000 10:32:15 -0700


thinking that this discussion might be of interest to others and not wanting
to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
linux systems on the internet, I am lobbing up softballs for weak hitters to
hit out of the park.

1 - if I create a chain ruleset

    default policy deny
    accept TCP/UDP port 25, 110, 80
    reject TCP/UDP ports 1:1024

    does this adequately protect all but mail & www from things
    like BIND & FTP exploitation attacks?

2 - does it then make sense to use tcpd to protect the exposed services?

    example

    hosts.deny
    ALL:ALL

    hosts.allow
    ipop3d:localnetwork & specific.hosts.for.internet.access
    httpd:ALL

3 - Any other suggestions?

Craig

----:----|----:----|----:----|----:----|----:----|----:----|
- Craig White - PO Box 8634 - Scottsdale, Arizona - 85252
- e-mail address ................ - CraigWhite@AzApple.com
- world wide web address ........ - http://www.AzApple.com
- e-mail my pager address ....... - 6023779752@airtouch.net
- cellular phone ................ - (602) 377-9752
- voice/facsimile ............... - (480) 945-8445
----:----|----:----|----:----|----:----|----:----|----:----|