-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 09 Jun 2003 at 08:36:03PM -0500, Jones wrote: > Phillip, I didn't post the entire file.
Sorry, that was so far up in the thread I lost track of it... > The default policy on the INPUT chain is DROP. I do allow incoming Good > ssh & ftp from a couple of Linux servers that I manage. All other > TCP traffic on the external interface is stopped by the "-p tcp --syn > -j DROP" rule. I also have the rule "-t nat -A POSTROUTING -o > $EXTERNAL_IF -j MASQUERADE" coz this machine is a server for a couple > of machines connected to its local (non-internet) interface. Much like my setup... > > The rules also contain the usual stuff so the internal interfaces work i.e. > iptables -A INPUT -i lo -j ACCEPT Don't want to mess with the lo because then nasty things happen, good move. > From your response I assume that this setup would make the system > safe from unwanted/unexpected incoming traffic that originates from > well known ports. What do these attacks do to fools firewalls > anyway? Are there firewalls out there that let in traffic if it > appears to originate from a well known port. I would stick with the -m state --state ESTABLISHED,RELATED rules and get rid of the whole syn thing. There are some attacks (such as XMas or FIN Scans) that can take advantage of the fact you only trap SYN packets. A much better approach is either to match using: - -m state --state NEW OR Simply let the packet fall through until it hits the default DROP. I would show you my implementation but I tend not to pass my firewall script around very often... Let me know if you need more help. - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import - -- Excuse #9: Magnetic interference from money/credit cards -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+5VuhS3Jybf3L5MQRAkStAJ9uxgrgCj6iP3l+493d5lo1cGUtoACgh9Qi JoT2SmTfkKgrYeYbP+3Eq48= =doq/ -----END PGP SIGNATURE-----
