[Gllug] ipchains/smtp acceptance from Demon

sean at uncertainty.org.uk sean at uncertainty.org.uk
Thu Aug 16 18:05:33 UTC 2001


On Thu, Aug 16, 2001 at 09:34:41AM +0100, home at alexhudson.com wrote:
> On Wed, Aug 15, 2001 at 10:13:06PM +0100, sean at uncertainty.org.uk wrote:
> > > ipchains -A input -i $extint -s 194.217.242/24 -dport smtp -j ACCEPT
> > > 
> > > would seem to to the trick
> > 
> > but wouldn't the /24 allow a far greater range than I need to ?
> 
> No, that CIDR bitmask notation - 24 is smaller than 8 ;)
> 
> 8  = 255.0.0.0		= 11111111.00000000.00000000.00000000
> 24 = 255.255.255.0	= 11111111.11111111.11111111.00000000
> 
> The number refers to the numbers of ones. 

OOPS!!!

> 
> > What ports do I have to allow to connect for things like outgoing http ftp
> > ssh ...?
> 
> None. You only allow incoming. So, without connection tracking, you could
> allow all packets from 0/0 that are !-y, allow all outgoing packets from
> yourself, and deny everything else (except mail). 
> 
This is where I am getting confused ... doesn't a connection require a port on each end?
and connections require packets going both ways (hence !-y to block packets that signify the start of a connection ?)

so what I was thinking was

(filter out spoofing)

allow mail from demon
deny all packets to ports <100 (?) on ppp0
deny all -y to ppp0
allow the rest (actually MASQ)



I'm *really* don't know about anything other than tcp though - last time I 
tried to tighten my firewall I ended up not being able to get anywhere!

> ftp is a special case, because that can need incoming connections in active
> mode. However, it will work fine in passive mode, or you can use iptables
> connection tracking to do it. It's a bodge in both instances though, and
> you'll make it worse if you ever use the crappy masquerading system, because
> ftp hates that even more - ftp proxying is the better solution.
>

maquerading is woking fine - I do all my ftp in passive mode and don't notice
the difference. 

-- 

Sean



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list