Ipchains Woes
Craig White
plug-discuss@lists.plug.phoenix.az.us
25 Feb 2002 18:19:58 -0700
On Mon, 2002-02-25 at 14:45, David A. Sinck wrote:
>
>
> \_ SMTP quoth Steve Holmes on 2/25/2002 14:30 as having spake thusly:
> \_
> \_ Actually, I can't do it from the firewall box nor the inside. One thing I
> \_ can tell for sure, I can communicate back and forth between the local
> \_ boxes but nobody can get outside with ping, traceroute, dig or any of
> \_ those good buddies. The forward chain does look identical to what you
> \_ suggested below. I need to dig into the input chain, I believe. This
> \_ package script uses an inet-in rule to set up the various permissions and
> \_ the internet device (netward card) is defaulted to this internet rule. If
> \_ allowed through, those ports are '-j ACCEPT'. But devices lo (loopback)
> \_ and LAN card (eth0 in my case) both default to input -j ACCEPT so they
> \_ should be getting through no matter what, I would think. So I'm either
> \_ missing something or there may be a bug in my implementation of ipchains.
>
> You may need to to -j ACCEPT in masquerade chain for trusted devices?
>
----
wow - 2 messages in 1 day David.
as default policy - ACCEPT is a really poor idea for ipchains - for
testing purposes, OK - but it will ultimately have to be changed to
REJECT or DENY to have some security and piece of mind...be it forward,
input or output.
Craig