The info I had while constructing my ipchains firewall seems to be the opposite. I lead off with: # Set the default policy to deny ipchains -P input DENY ipchains -P output REJECT ipchains -P forward REJECT Now note that those are policy settings and not input/output rules. Matthew Zaleski > -----Original Message----- > From: Ken Wahl [mailto:[EMAIL PROTECTED]] > Sent: Monday, September 11, 2000 4:48 PM > To: [EMAIL PROTECTED] > Subject: Re: [expert] thanks for the check port cmdln > > > On Mon, 11 Sep 2000, Ron Johnson, Jr. wrote: > > > Matthew Micene wrote: > > > > > > On Mon, 11 Sep 2000, you wrote: > > > > Since the foreign address is 0.0.0.0, does that mean that these > > > > ports are accessable by the world? Port 515 is the print > > > > spooler, so it sounds bad that that should be world accessable. > > > > > > You'd better believe it. And if you want it to get > worse, open an X > > > Window session and watch X pop up on port 6000 and xfs on > port 2046 I > > > think. This is why EVERYONE running a linux box (at home > or otherwise) > > > needs to have a firewall installed of some sort. One solution is > > > tcpserver as a replacement for inet super server because > it supports > > > binding to a specific interface or address. It is > limited in the fact > > > that it only handles TCP protocols. > > > > Well that's pretty bad. I used PMFirewall to set up my ipchains > > commands, but apparently it has left some things out... It > > was my assumption that PMFirewall blocked everything then > > allowed only certain ports in... > > > > Ron > > > > I hope someone will jump in and correct if I'm wrong but I think your > original assumption about PMFirewall is correct. Just > because a netstat > command will show a port as listening, doesn't mean that > PMFirewall will > let anyone besides localhost connect to it if you have PMFirewall > configured to deny/reject connection attempts to that particular port. > > Take a look at your ipchains as root with "ipchains -L". > Remember that > the chains are processed one line at a time from the top > down. The first > line will be an "accept all" then there should be rules to accept > connections to particular ports if you want those services > running. Then > there will be explicit reject chains for common exploits > (netbios, etc. > plus denial for 5999-6003) and then there should be a rule to accept > connections in the temp range 1023-65535. The final input > chain should be > an explicit deny all to block anything that was not > specifically permitted > in the chains prior. > > If I have this wrong then someone please tell me, as I've got > some work to > do if that is the case. > > Thanks. > > -- > #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-# > | Ken Wahl, CCNA [EMAIL PROTECTED] PGP Key ID: 3CF9AB36 | > | PGP Public Key: http://www.ipass.net/~kenwahl/pgpkey.txt | > #-=-=-=-=-=-=-=--> Powered by Linux Mandrake <--=-=-=-=-=-=-# > > Linux up 1 day, 17:03, 1 user, load average: 0.00, 0.00, 0.00 > > > > >
Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
