On Friday 06 April 2001 00:09, Cherubini Enrico wrote:
> Ciao,
>
> Thu, Apr 05, 2001 at 09:38:46PM +0100, Steve Ball wrote:
> > It is most secure to block everything and only open the ports that are
> > absolutely necessary.
>
> ok, this is clear. What's the way you ppl do that throught
> ipchains/iptables ? Is it better to use the ACCEPT policy and then DENY all
> or use the DENY policy and ACCEPT only ports needed ? I use the first
> 'cause so I can log all packet that are denied...
>
> # Start
> ipchains -P input ACCEPT
> ....
> ipchains -A input -j DENY -l
> # End
First DENY everything,
/sbin/ipchains -P input DENY
/sbin/ipchains -P output REJECT
/sbin/ipchains -P forward DENY
then you say what to accept, like
/sbin/ipchains -A input -i eth0 -p tcp --source-port 1024:65535 -d
$IPADDRESS 80 -j ACCEPT
/sbin/ipchains -A output -i eth0 -p tcp ! -y -s $IPADDRESS 80
--destination-port 1024:65535 -j ACCEPT
This way your machine only can have connections that are accepted by
ipchains. Think about it if you're only define DENY-rules and you forgot one.
And second its easier to define the things to accept then to deny.
Hans
--
"How should I know if it works? That's what beta testers are for. I only
coded it."
-- Linus Torvalds
