Ipchains Woes

Craig White plug-discuss@lists.plug.phoenix.az.us
25 Feb 2002 18:19:58 -0700


On Mon, 2002-02-25 at 14:45, David A. Sinck wrote:
> 
> 
> \_ SMTP quoth Steve Holmes on 2/25/2002 14:30 as having spake thusly:
> \_
> \_ Actually, I can't do it from the firewall box nor the inside.  One thing I
> \_ can tell for sure, I can communicate back and forth between the local
> \_ boxes but nobody can get outside with ping, traceroute, dig or any of
> \_ those good buddies.  The forward chain does look identical to what you
> \_ suggested below.  I need to dig into the input chain, I believe.  This
> \_ package script uses an inet-in rule to set up the various permissions and
> \_ the internet device (netward card) is defaulted to this internet rule.  If
> \_ allowed through, those ports are '-j ACCEPT'.  But devices lo (loopback)
> \_ and LAN card (eth0 in my case) both default to input -j ACCEPT so they
> \_ should be getting through no matter what, I would think.  So I'm either
> \_ missing something or there may be a bug in my implementation of ipchains.
> 
> You may need to to -j ACCEPT in masquerade chain for trusted devices?
> 
----
wow - 2 messages in 1 day David.

as default policy - ACCEPT is a really poor idea for ipchains - for
testing purposes, OK - but it will ultimately have to be changed to
REJECT or DENY to have some security and piece of mind...be it forward,
input or output.

Craig