[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Firewall/IPChains Rules -- WAS: ipchains/locked out
- Subject: [cobalt-users] Firewall/IPChains Rules -- WAS: ipchains/locked out
- From: "Craig Napier" <craignapier@xxxxxxxxxxx>
- Date: Fri Mar 2 21:53:32 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
You need to open 22 and 81. If your ipchains generally has a DENY policy
with individual rules that open each port, you need to copy the rules for,
say, port 25 and port 22 and 81 and that should work. These will be in the
input chain, maybe some in the output chain.
I'm trying to figure this out myself at the moment, so that's all I can
tell you.
I'll share my ruleset for my RaQ3 systems that I just recently installed. It
took me almost two weeks of picking apart each and EVERY rule along with the
help of 1-2 others from this list - and it's fairly tight.
We used the firewall design tool located at
http://www.linux-firewall-tools.com/linux/firewall/index.html to get the
initial rule base, but it's taken some tweaking to make it work with our
systems. Mainly we believe the biggest problem is the use of "virtual"
ethernet's on the RaQ3?s, which kind of kills the firewall (locks up the
machine) since it's setup for only one ethernet (eth0). The Cobalt?s setup
each virtual site on the box with eth0:0, eth0:1, eth0:2 etc., which contain
their respective IP's (which also differ from the main system IP) in
/etc/sysconfig/network-scripts/. See the prior post from David Dean
(Firewalls and virtual ethernet interfaces WAS: Firewall/IPChains w/ IPADDR
Rule) regarding this same issue, we've been communicating on this project.
If you generate your own script and list the main IP of the box as you're
instructed, you'll lock-up the box (because of the configs above). Easy fix
is just to config the firewall as "any/0" which will simply protect the
entire box and all it's IP's..
Here's our current ruleset - but you *might* want to watch (and possibly
comment out) some of the logging rules at the bottom depending on your
system. Depending on your NOC and their networks, if you get a lot of
"background" noise, you may fill-up your logs REAL quick.. Also, the
"spoofing" rule is blocked by default as sometimes it'll hang certain
systems, but you can test and enable if it doesn?t give you any problems. As
always, use at your own risk and be careful not to lock yourself out of the
box (been there, done that more times than I can count while testing
these)... ;-)
Telnet and WHOIS is commented out. This also disables PINGS and TRACES to
your system.
Install in /etc/rc.d as rc.firewall (/etc/rc.d/rc.firewall) then chmod the
sucker as:
-rwxr-xr-- 1 root root rc.firewall
You could also place a startup line at the bottom of your rc.local file as:
# Let's start our firewall
sh /etc/rc.d/rc.firewall
--BUT-- I'd recommend first testing it several times before doing so because
if there's problems and the script loads on boot - YOU'RE SCREWED!
Also watch the line wraps, you might just want to gen your own from the tool
and use this one as a mock example for the rules --
Good Luck! Hope it helps someone!
Craig
#!/bin/sh
# Script generated Fri Mar 2 05:15:12 2001
#
----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
#
----------------------------------------------------------------------------
# /etc/rc.d/rc.firewall
# Invoked from /etc/rc.d/rc.local.
echo "Starting firewalling... "
#
----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
IPADDR="any/0" # your IP address
ANYWHERE="any/0" # match any IP address
NAMESERVER_1="any/0" # everyone must have at least one
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
#
----------------------------------------------------------------------------
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#
----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
ipchains -F
# Set the default policy of the filter to deny.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY
#
----------------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
#
----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
#
----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
#
----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
#
# # Refuse incoming packets pretending to be from the external address.
# ipchains -A input -s $IPADDR -j DENY -l
#
# Refuse incoming packets claiming to be from a Class A, B or C private
network
ipchains -A input -s $CLASS_A -j DENY
ipchains -A input -s $CLASS_B -j DENY
ipchains -A input -s $CLASS_C -j DENY
# Refuse broadcast address SOURCE packets
ipchains -A input -s $BROADCAST_DEST -j DENY
ipchains -A input -d $BROADCAST_SRC -j DENY
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
ipchains -A input -s $CLASS_D_MULTICAST -j DENY
# Refuse Class E reserved IP addresses
ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included.
# Filtering them causes problems as reserved blocks are
# being allocated more often now.
# Note: this list includes the loopback, multicast, & reserved
addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
ipchains -A input -s 0.0.0.0/8 -j DENY -l
ipchains -A input -s 127.0.0.0/8 -j DENY -l
ipchains -A input -s 169.254.0.0/16 -j DENY -l
ipchains -A input -s 192.0.2.0/24 -j DENY -l
ipchains -A input -s 224.0.0.0/3 -j DENY -l
#
----------------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers vary by
# supplier. Using them is less error prone and more meaningful,
though.
#
----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# NFS: establishing a TCP connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $NFS_PORT -j REJECT
# openwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $OPENWINDOWS_PORT -j REJECT
# Xwindows: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $XWINDOW_PORTS -j REJECT
# SOCKS: establishing a connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
--destination-port $SOCKS_PORT -j REJECT
#
----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DENY -l
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DENY -l
# DNS server (53)
# ---------------
# DNS: full server
# ----------------
# server/client to server query or response
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port $UNPRIVPORTS \
-d $IPADDR 53 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 53 \
--destination-port 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--source-port 53 \
-d $IPADDR 53 -j ACCEPT
# DNS client (53)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTP server (80)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTP client (80)
# ----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ADMIN server (81)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 81 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 81 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# HTTPS server (443)
# ------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
--destination-port $UNPRIVPORTS -j ACCEPT
# HTTPS client (443)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
--destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $SSH_REMOTE_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
--destination-port $SSH_REMOTE_PORTS -j ACCEPT
# SSH client (22)
# ---------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_LOCAL_PORTS \
--destination-port 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 22 \
-d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
# # ------------------------------------------------------------------
#
# # TELNET server (23)
# # ------------------
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
# --source-port $UNPRIVPORTS \
# -d $IPADDR 23 -j ACCEPT
#
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
# -s $IPADDR 23 \
# --destination-port $UNPRIVPORTS -j ACCEPT
#
# ------------------------------------------------------------------
# AUTH server (113)
# -----------------
# Accept incoming connections to identd but disable in.identd in
inetd.conf.
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 113 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 113 \
--destination-port $UNPRIVPORTS -j ACCEPT
# AUTH client (113)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# # ------------------------------------------------------------------
#
# # WHOIS client (43)
# # -----------------
# ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
# -s $IPADDR $UNPRIVPORTS \
# --destination-port 43 -j ACCEPT
#
# ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
# --source-port 43 \
# -d $IPADDR $UNPRIVPORTS -j ACCEPT
#
# ------------------------------------------------------------------
# FTP server (21)
# ---------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
--destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
# PASSIVE MODE data channel responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
# FTP client (21)
# ---------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# PORT mode data channel
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--source-port 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
--destination-port 20 -j ACCEPT
# PASSIVE mode data channel creation
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
--source-port $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
#
----------------------------------------------------------------------------
# ICMP
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed,
etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type echo-reply \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type destination-unreachable \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type source-quench \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type time-exceeded \
-d $IPADDR -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type parameter-problem \
-d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR source-quench -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR echo-request -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR parameter-problem -j ACCEPT
#
----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 0:19 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 24 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 26:78 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 81:109 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 112 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 114:136 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 140:142 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 144:442 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
--destination-port 444:1023 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 0:110 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 112:160 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 163:634 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port 636:1023 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
--destination-port $UNPRIVPORTS -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 5 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
--icmp-type 13:255 -j DENY -l
ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l
#
----------------------------------------------------------------------------
echo "done"
exit 0
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com