[lug] Firewalls again.

[John Starkey]

> No, that's not correct.  You can set the default policy to deny and then
> accept what you want.  

Didn't think so.

> That's the recommended way of doing it.  You are
> flushing the chains before trying to install a new set?  What does
> "-L -v" tell you as far as what chain rules are getting hit?

Ok. I'm gonna flush and do things manually. I have the negated script in
rc.firewall rightnow.

> What happens if you run this?
> 
> 	ipchains -F input

Clean!

> 	ipchains -P input DENY
> 	ipchains -A input -s 0/0 -d 0/0 -j ACCEPT
> 	ipchains -A input -s 0/0 -d 0/0 -j DENY --log   # always log as last rule

Everything is fine that I can see. ftp, nslookup and lynx, all working
fine.

Is the last command a log command only. No affect on the rules?? I dump
logs (ftp, named, etc.) to tty8 and don't see anthing there.

> What about this?
> 
> 	ipchains -F input
> 	ipchains -P input DENY
> 	ipchains -A input -s 0/0 -d 0/0 -p icmp -j ACCEPT
> 	ipchains -A input -s 0/0 -d 0/0 -j DENY --log   # always log as last rule
>
> The former should allow everything through, negating the "drop everything"
> policy.  The latter should drop (and log) everything but ICMP (pings).

Can't ftp, lynx, nslookup. Ping works fine.

So I added the script to rc.firewall. Only other things are depmod -a and
modprobe ip_masq_ftp . 

Ping returns operation not permitted. Maybe a corrupted file??

John