TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:5678] ipchains script

Hash: SHA1

Sometime around the 30th of April in 1999, a certain Ben Luey said:

: I think your problem is related to order. ipchains depends on order. If
: your first line is deny everything and next one is to accept port 21 --
: port 21 will be blocked because the first line (deny) applies to it and
: that's it. Therefore what you want to do is put in all your accept lines
: first, then a blanket deny script. The reason my script doesn't block 5555
: is because the blanket deny line is only for ports from 1-1023. Copy that
: line and add 5555 (or whatever range) and it should work. Be careful what
: you deny though, I found that some ports over 1023 are needed for client
: opperations.

I've got a list of ports that I need open, which I'm taking
straight from my previously-working ipfwadm setup (5555 isn't
one of them, it was just for an example).

That's the way I was setting things up .. I have three userland
chains (one for behind firewall, one for lan outside firewall,
one for world), with rules appended to them per-port and host,
each ending with a blanket RETURN call, and no DENY lines.

The first three rules in the input chain are to call these
three userland chains in order of most-secure to least-secure,
ending with a blanket DENY in the input chain.

I know that the packets traverse the userland chains, because I
put a blanket -l (log packet info) line at the start of all of
them and they indeed do spew info all over my syslog. They just
never seem to match any of the rules ..

- --
| Joshua Becker                    - aka -                      JellyD |
| email:                          IRC: EFnet, DALnet |

Version: GNUPG v0.4.3 (GNU/Linux)
Comment: For info finger