Re: [TCLUG:16582] Firewalls revisited...

To: <tclug-list@mn-linux.org>
Subject: Re: [TCLUG:16582] Firewalls revisited...
From: "Thomas T. Veldhouse" <veldy@visi.com>
Date: Mon, 24 Apr 2000 07:50:04 -0500
References: <20000424011927.A15696@wookimus.net>

I use a default policy of DENY on my input chain without any problems.  I
split my bits off into 4 chains.  eth0-in eth0-out eth1-in eth1-out.  I
sometimes split those off into other chains when I am filtering various
stuff for a particular computer on my LAN.

Tom Veldhouse
veldy@visi.com

----- Original Message -----
From: ^chewie <chewie@wookimus.net>
To: <tclug-list@mn-linux.org>
Sent: Monday, April 24, 2000 1:19 AM
Subject: [TCLUG:16582] Firewalls revisited...

A quick tip:

 DON'T set the default policy to DENY.
 (e.g. ipchains -P input DENY)

 Append a LAST rule in the input, output, and forward chains that DENY
 and log any missed packets instead...
 (e.g. ipchains -P input ACCEPT
  ipchains -A input -j ACCEPT # Accounting rule
  ipchains -A input ...  # Rules
  ipchains -A input -j DENY -l # Log anything you missed)

 I set up my firewalls the way that is illustrated in the
 IPChains-HOWTO, found at www.linuxdoc.org.  Good resource.  I'm not
 going to write any more about it because the HOWTO does a damned good
 job explaining things.

Have fun.
--
^chewie

Follow-Ups:
- Re: [TCLUG:16582] Firewalls revisited...
  - From: Nate Carlson <natecars@real-time.com>

References:
- Firewalls revisited...
  - From: ^chewie <chewie@wookimus.net>

Prev by Date: AMD. It's funny. Laugh.
Next by Date: Re: [TCLUG:16577] A+ Certification
Prev by thread: Firewalls revisited...
Next by thread: Re: [TCLUG:16582] Firewalls revisited...
Index(es):
- Date
- Thread