"Eric Gillespie, Jr." <[EMAIL PROTECTED]> wrote: >I'd like to set up ipchains so that no on can connect to my >dialup computer at all except for identd (for IRC). I read the >Firewall and IPCHAINS howtos, as well as the ipchains man page, >and it looks like the following lines should do what i want: > >ipchains -P input DENY >ipchains -I input -p all -s localhost -j ACCEPT >ipchains -I input -p icmp -j ACCEPT >ipchains -I input -p tcp --dport 113 -j ACCEPT > >Unfortunately, they don't.
The person who said that connections are bi-directional was correct, but not in saying that you need a complementary output rule for everything (that'll just make it worse ...). You should look at the -y (or --syn) option to ipchains, which will allow you to control the packets that *initiate* connections, then just let all non-SYN TCP packets through. You might need to allow UDP (or certain bits of it) through too, depending on what you're doing; for instance, a caching nameserver will want to talk UDP. -- Colin Watson [EMAIL PROTECTED]
