[Gllug] ipchains/smtp acceptance from Demon

Alex Hudson home at alexhudson.com
Thu Aug 16 20:29:56 UTC 2001


On Thu, Aug 16, 2001 at 07:05:33PM +0100, sean at uncertainty.org.uk wrote:
> > The number refers to the numbers of ones. 
> 
> OOPS!!!

You might want to forget CIDR notation, esp. if you ever need to work with
classless subnets - you can use a ip/netmask combo and that will work. It is
long-winded, but it's more obviously apparent what you mean.

> This is where I am getting confused ... doesn't a connection require a
> port on each end? and connections require packets going both ways (hence
> !-y to block packets that signify the start of a connection ?)

A connection requires five things: source ip, destination ip, source port,
destination port, and protocol. However, very often (i.e., usually) you
don't know the source port (it's often random, but sometimes, such as in
some nameserver configs, you know in advance what it will be). You may not
know the source ip either. So most rules operate on what the connection is
attempting to connect to.

-y means 'SYN, !FIN, !ACK', which are the flags used to start a tcp session.
Hence, accepting -y means you accept connections. !-y means you don't accept
them. Accepting -y and rejecting !-y is Silly Nonsense, as is -y -p udp.

> allow mail from demon
> deny all packets to ports <100 (?) on ppp0
  ^^^^^^
You mentioned this last time and I still don't get it. Firstly, you're
supposed to be denying everything, so unless you're doing it for logging
purposes (boring) you've already got it covered. Secondly, the usual
convention is < 1024 ;)

> deny all -y to ppp0

Sensible.

> allow the rest (actually MASQ)

My yardstick: if your firewall ends up being more than 10 lines long, ask
yourself why. It's probably overcomplicated and more likely to break things.
At the end of the day, packet filtering buys you very little security, it's
not worth fiddling with endlessly.

> I'm *really* don't know about anything other than tcp though - last time I 
> tried to tighten my firewall I ended up not being able to get anywhere!

Usual case is you break pings, etc. If that happens, first try turning off
name resolution (i.e., ping -n 1.2.3.4) - if that works, you've buggered the
DNS. That's the most common udp error (in fact, everything is still working,
but you're just waiting the 20-30sec for the dns to time out).

Cheers,

Alex.
--

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list