[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] RaQ3 ipchains install help
- Subject: Re: [cobalt-users] RaQ3 ipchains install help
- From: "Rodolfo J. Paiz" <rpaiz@xxxxxxxxxxxxxx>
- Date: Mon Apr 23 14:00:35 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 4/22/01 09:47 AM +0200, you wrote:
There has been talk about a script that was posted to this list some time
ago; probably be4 I entered the list.
It was posted; by Mike Vanecek I think. I'd repost it with credits, but I
was using LookOut at the time, and my PST got corrupted, and I'm on Eudora
now, and well... I can't get to it right now. <wry grin> Mebbe later.
Still, it's there. Search for Mike, and Rodolfo, and ipchains, and whatever
else comes to mind. Probably not later than 12/2000; I'd try the search
myself but it's 0200h and I'm offline and I'm writing my own script at the
moment (I'll post it when I'm done). The script posted looked complete and
was well-commented so it's worth finding.
I think I've got it pretty much down, but the only thing I can't really do
is figure out how to make it easily apply to several IP addresses on the same
box. At this point, my kludge is to have separate copies of my ruleset for
each IP address, and specifically allow services (or not) per address. Yuck,
but it'll work for a while 'til I catch on.
While on the subject, a question: is there any specific (Cobalt) reason why
one should open up high, unprivileged (did I just spell that correctly? ;-P)
ports (1024-65535) by default?
They do not need to be open as far as your *server* is concerned. However,
insofar as your machine sometimes acts as a client (HTTP redirects maybe,
and DNS queries) the answers to those queries will come in on those high
ports. If I'm not mistaken (which I probably am), the ipchains rules might
(MIGHT) look like:
/sbin/ipchains -A input -p tcp 1024:65535 ! -y -d $LOCAL_IP -j ACCEPT
The idea is that the "! -y" says that only those packets NOT of type Y
(SYN) are allowed. Since SYN packets are those that initiate connections,
you are in effect allowing in only those packets that answer questions but
do not ask them.
For God's sake check my syntax and that rule very carefully before you
apply it.
> It's hard not to be paranoid when everone's out to get you!!
It's good to be paranoid when everyone's out to get you! :-)
Just because you're paranoid doesn't mean they're not out to get you. <grin>
--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx