[Gllug] ipchains/smtp acceptance from Demon
sean at uncertainty.org.uk
sean at uncertainty.org.uk
Thu Aug 16 18:05:33 UTC 2001
On Thu, Aug 16, 2001 at 09:34:41AM +0100, home at alexhudson.com wrote:
> On Wed, Aug 15, 2001 at 10:13:06PM +0100, sean at uncertainty.org.uk wrote:
> > > ipchains -A input -i $extint -s 194.217.242/24 -dport smtp -j ACCEPT
> > >
> > > would seem to to the trick
> >
> > but wouldn't the /24 allow a far greater range than I need to ?
>
> No, that CIDR bitmask notation - 24 is smaller than 8 ;)
>
> 8 = 255.0.0.0 = 11111111.00000000.00000000.00000000
> 24 = 255.255.255.0 = 11111111.11111111.11111111.00000000
>
> The number refers to the numbers of ones.
OOPS!!!
>
> > What ports do I have to allow to connect for things like outgoing http ftp
> > ssh ...?
>
> None. You only allow incoming. So, without connection tracking, you could
> allow all packets from 0/0 that are !-y, allow all outgoing packets from
> yourself, and deny everything else (except mail).
>
This is where I am getting confused ... doesn't a connection require a port on each end?
and connections require packets going both ways (hence !-y to block packets that signify the start of a connection ?)
so what I was thinking was
(filter out spoofing)
allow mail from demon
deny all packets to ports <100 (?) on ppp0
deny all -y to ppp0
allow the rest (actually MASQ)
I'm *really* don't know about anything other than tcp though - last time I
tried to tighten my firewall I ended up not being able to get anywhere!
> ftp is a special case, because that can need incoming connections in active
> mode. However, it will work fine in passive mode, or you can use iptables
> connection tracking to do it. It's a bodge in both instances though, and
> you'll make it worse if you ever use the crappy masquerading system, because
> ftp hates that even more - ftp proxying is the better solution.
>
maquerading is woking fine - I do all my ftp in passive mode and don't notice
the difference.
--
Sean
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list