On Sat, Aug 14, 1999 at 12:56:20AM +0200, Peter Palfrader aka Weasel wrote: > ipchains -A output -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 > ipchains -A input -j ACCEPT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0
You can restrict this to 127/8 and all local addresses. In Addition to that you should DENY all incomming packages originating fropm one of your local addresses. > ipchains -A output -j ACCEPT -p tcp -s marvin 1024:65535 -d laus 1024:65535 ! > -y This above rule allows packages belonging to established connections in all ports, makes no sense. > ipchains -A output -j ACCEPT -p tcp -s marvin 1024:65535 -d laus smtp > > ipchains -A input -j ACCEPT -p tcp -s laus 1024:65535 -d marvin 1024:65535 ! > -y the above rule makes no sense > ipchains -A input -j ACCEPT -p tcp -s laus smtp -d marvin 1024:65535 ! -y thas fine, should work. > is this correct, did I miss something? > anything wich might need improvement? > and why does this not work with ssh? (if I substitute smtp with ssh) ssh is usig a priveledged source port as long as you dont give "-P" as an option to ssh. Greetings Bernd
