> > I have the following specific questions: > > 1. Have I made any mistakes that could cause really annoying problems? > > (perhaps unintentionally blocking something that shouldn't be blocked) > > if you use dhcp for anything, you must enable source/destination for > 255.255.255.255 as well as the routes for this. This caught me some time > ago :(
I don't think I use dhcp, but I'm not really sure about PPP. When using pon to get a dial-up connection to my ISP, I certainly get a dynamic IP. Is that done with dhcp? > > 2. Is it safe to allow all input from localhost and output to localhost > > as I have done? > > I think that this is indeed a must for certain apps. IIRC named need it. I kind of thought it might be necessary for something. > > 3. Are the lines that allow ICMP the right thing to do so ping will work? > > (also, the HOW-TO warned about not blocking ICMP type 3). > > 4. Are the SMTP and POP3 ports as secure as possible while still > > allowing fetchmail and sendmail to work? > > maybe you could specify the source/destination for this rule. I'm not sure if I should do that on the ICMP one. I meant to do that on the SMTP and POP3 ones, but I obviously didn't! > > 5. Will my lines to block all communication with ads3.inet1.com work? > > (If I had a fast Internet connection, I wouldn't mind banner ads) > > 6. Any other comments or suggestions? > > seems to me that the syntax is wrong. ipchains syntax for setting > destination port is --dport. -p is for protocol. You're right, I was using port numbers as if they were protocol numbers. Unfortunately, ipchains does not like --dport: # ipchains -A input --dport 20 -j ACCEPT ipchains: Unknown option `--dport' Try `ipchains -h' for more information. > > ipchains -A input -p 20 -j ACCEPT > > ipchains -A input --dport 20 -j ACCEPT > or > ipchains -A input -p ftp-data -j ACCEPT Looking at it again, I think -p is for protocol, and ftp-data is a something (packet type?) that uses the TCP protocol. I think I have to do ipchains -A input -d 0/0 20 -j ACCEPT > > # allow me to use fetchmail > > ipchains -A output -p 110 -j ACCEPT How about: ipchains -A input -d 0/0 110 -s pop3.isp.com 110 -j ACCEPT ipchains -A output -s 0/0 110 -d pop3.isp.com 110 -j ACCEPT That should allow fetchmail to work. I don't see why my ISP would try and initiate a pop3 or SMTP connection. > > # allow outgoing SMTP > > ipchains -A output -p 25 -j ACCEPT How about: ipchains -A input -d 0/0 25 -s smtp.isp.com 25 -j ACCEPT ipchains -A output -s 0/0 25 -d smtp.isp.com 25 -j ACCEPT Thanks, Patrick
