It's better to do it this way:
ipchains -P input DENY
ipchains -A input -s (source add./port) -d (dest. add./port) -j ACCEPT
. . . (acceptance rules)
ipchains -A input -j DENY -l (logs all stuff not ACCEPTed above).
I also put other DENY statements on top of the last logging DENY for things
I don't care to log. The syslog will fill up rapidly with insignificant
crap if you don't (I had my colo fill /var with sputter from a
misconfigured router once).
The reason you start out with a DENY is so that there is no chance of a
packet coming through before all of the chains are parsed. Also a good
idea is to build the chains before bringing up the interface(s).
Haphazard security is marginally second to no security at all.
At 12:09 AM 4/6/2001 +0200, Cherubini Enrico wrote:
>Ciao,
> Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
>
> > It is most secure to block everything and only open the ports that are
> > absolutely necessary.
>ok, this is clear. What's the way you ppl do that throught ipchains/iptables
>? Is it better to use the ACCEPT policy and then DENY all or use the DENY
>policy and ACCEPT only ports needed ? I use the first 'cause so I can log
>all packet that are denied...
>
># Start
>ipchains -P input ACCEPT
>....
>ipchains -A input -j DENY -l
># End
>
>--
>
>
>Bye
> +--------+ Maybe you are searching for freedom
> | Enrico | Maybe you can't find it anywhere
> +--------+ I found it in linux.......
>
>``I think he has a Napoleonic concept of himself and his company, an
>arrogance
> that derives from power and unalloyed success, with no leavening hard
> experience, no reverses,'' Judge Thomas Penfield Jackson says of Bill Gates.
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]
- This Space Intentionally Left Blank -
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
