[lug] Firewalls again.
Sean Reifschneider
jafo at tummy.com
Mon Sep 4 21:13:36 MDT 2000
On Mon, Sep 04, 2000 at 08:24:48PM -0400, John Starkey wrote:
>can't get past and now I'm convinced it doesn't work that way -- I can't
>do a -P DENY and ACCEPT what I want. I'm having to -P ACCEPT and then
>negate every rule.
>
>Is this correct??? Doesn't seem very logical.
No, that's not correct. You can set the default policy to deny and then
accept what you want. That's the recommended way of doing it. You are
flushing the chains before trying to install a new set? What does
"-L -v" tell you as far as what chain rules are getting hit?
What happens if you run this?
ipchains -F input
ipchains -P input DENY
ipchains -A input -s 0/0 -d 0/0 -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -j DENY --log # always log as last rule
What about this?
ipchains -F input
ipchains -P input DENY
ipchains -A input -s 0/0 -d 0/0 -p icmp -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 -j DENY --log # always log as last rule
The former should allow everything through, negating the "drop everything"
policy. The latter should drop (and log) everything but ICMP (pings).
Sean
--
"Where are we going?" "Planet Ten!" "When?" "Real soon!"
-- _Buckaroo_Banzai_
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
More information about the LUG
mailing list