ipchains - sorry to flog this horse

sinck@corp.quepasa.com sinck@corp.quepasa.com
Fri, 31 Mar 2000 10:42:25 -0700 (MST)


\_ thinking that this discussion might be of interest to others and not wanting
\_ to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
\_ linux systems on the internet, I am lobbing up softballs for weak hitters to
\_ hit out of the park.
\_ 
\_ 1 - if I create a chain ruleset
\_ 
\_     default policy deny
\_     accept TCP/UDP port 25, 110, 80
\_     reject TCP/UDP ports 1:1024
\_ 
\_     does this adequately protect all but mail & www from things
\_     like BIND & FTP exploitation attacks?

I'm pretty sure you're gonna want 53 in there... otherwise it'll be
harder to resolve hostnames.

If you're using mysql, add tcp 3306 -y -j REJECT to keep it happy.

If you're using X, add 6000:6009 -y -j REJECT and 7100 -y -j REJECT to
keep the Xsessions highly protected as well as the font server.

I like reject better because I think that makes attempts "go away"
faster.  But I'd be more than willing to change my opinion if someone
*knows*.  :-)

David