ipchains rules coming from nowhere?

Marco Fioretti Sat, 15 Sep 2001 01:40:29 -0700
Hello,

I have a Red Hat 7.1 box on which I enabled firewall at install time,
declaring eth0 as trusted interface. The PC is connected on eth0 to
another computer, IP address 192.168.1.2, and to the internet in
dialup mode on ppp0 interface.  As far as I can tell, I have a working
firewall setup, but it also contains some rules that I can't figure
out where they came from. 

When I connect to the Internet, my ipchains rules are the combination
of the attached script and of this /etc/sysconfig/ipchains:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -i eth0 -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

Now the actual question: if I run ipchains -L I get what listed below,
and I would just like your opinion on the rules I marked with
??. Where did they come from? Are they security holes?

Obviously, pointing any other hole is highly appreciated.

          TIA,
                        Marco Fioretti

Chain input (policy DENY):
target     prot opt     source               destination
ports
?? ACCEPT     all  ------  anywhere          anywhere              n/a
?? ACCEPT     all  ------  192.168.1.0/24    anywhere              n/a
DENY       all  ----l-  my_dialup_ip         anywhere              n/a
DENY       tcp  -y--l-  anywhere             anywhere              any
->   nfs
DENY       tcp  -y--l-  anywhere             anywhere              any
->   x11:6063
DENY       tcp  -y--l-  anywhere             anywhere              any
->   socks
DENY       udp  ----l-  anywhere             anywhere              any
->   nfs
DENY       udp  ----l-  anywhere             anywhere
32769:65535 ->   traceroute:33523
?? ACCEPT     tcp  !y----  anywhere          my_dialup_ip         any
->   any
ACCEPT     udp  ------  dns.wind.it          my_dialup_ip
domain ->   1024:65535
ACCEPT     tcp  ------  mail.inwind.it       my_dialup_ip         smtp
->   any
REJECT     tcp  ------  anywhere             my_dialup_ip
1024:65535 ->   auth
ACCEPT     tcp  ------  anywhere             my_dialup_ip
ftp-data ->   1024:65535
??ACCEPT     udp  ------  anywhere           my_dialup_ip
1024:65535 ->   6970:6999
ACCEPT     udp  ------  cesium.clock.org     my_dialup_ip         ntp
->   1024:65535
ACCEPT     icmp ------  anywhere             my_dialup_ip
destination-unreachable
ACCEPT     icmp ------  anywhere             my_dialup_ip
source-quench
ACCEPT     icmp ------  anywhere             my_dialup_ip
parameter-problem
ACCEPT     icmp ------  192.168.1.2          my_dialup_ip
echo-request
DENY       tcp  ----l-  anywhere             anywhere              any
->   any
DENY       udp  ----l-  anywhere             anywhere              any
->   0:1023
DENY       udp  ----l-  anywhere             anywhere              any
->   1024:65535
DENY       icmp ----l-  anywhere             anywhere
redirect
DENY       icmp ----l-  anywhere             anywhere
13:255 ->   any
Chain forward (policy DENY):
target     prot opt     source                destination
ports
MASQ       all  ------  192.168.1.0/24       anywhere              n/a
Chain output (policy REJECT):
target     prot opt     source                destination
ports
??ACCEPT     all  ------  anywhere             anywhere
n/a
??ACCEPT     all  ------  anywhere             192.168.1.0/24
n/a
REJECT     tcp  -y----  anywhere             anywhere              any
->   nfs
REJECT     tcp  -y----  anywhere             anywhere              any
->   x11:6063
REJECT     tcp  -y----  anywhere             anywhere              any
->   socks
DENY       udp  ----l-  anywhere             anywhere
32769:65535 ->   traceroute:33523
ACCEPT     udp  ------  my_dialup_ip        dns.wind.it
1024:65535 ->   domain
ACCEPT     tcp  ------  my_dialup_ip        dns.wind.it
1024:65535 ->   domain
ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   http
ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   https
ACCEPT     tcp  ------  my_dialup_ip        news.inwind.it
1024:65535 ->   nntp
ACCEPT     tcp  ------  my_dialup_ip        popmail.inwind.it
1024:65535 ->   pop3
ACCEPT     tcp  ------  my_dialup_ip        mail.inwind.it        any
->   smtp
ACCEPT     tcp  ------  my_dialup_ip        anywhere
1022:65535 ->   ssh
??ACCEPT     tcp  ------  my_dialup_ip        anywhere
smtp ->   telnet
??ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   auth
??ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   nicname
ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   ftp
ACCEPT     tcp  !y----  my_dialup_ip        anywhere
1024:65535 ->   ftp-data
ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   1024:65535
??ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   rtsp
??ACCEPT     tcp  ------  my_dialup_ip        anywhere
1024:65535 ->   7070:7071
??ACCEPT     udp  ------  my_dialup_ip        anywhere
6970:6999 ->   1024:65535
ACCEPT     udp  ------  my_dialup_ip        cesium.clock.org
1024:65535 ->   ntp
ACCEPT     icmp ------  my_dialup_ip        192.168.1.2
echo-reply
ACCEPT     icmp ------  my_dialup_ip        anywhere
fragmentation-needed
ACCEPT     icmp ------  my_dialup_ip        anywhere
source-quench
ACCEPT     icmp ------  my_dialup_ip        anywhere
parameter-problem
ACCEPT     icmp ------  my_dialup_ip        192.168.1.2
time-exceeded
REJECT     all  ----l-  anywhere             anywhere              n/a


-- 
Don't you wish you had more energy... or less ambition?
firewall.sh.bz2
ipchains rules coming from nowhere?

Reply via email to
