[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Firewall/IPChains Rules - UPDATED
- Subject: Re: [cobalt-users] Firewall/IPChains Rules - UPDATED
- From: "Dave" <dridel@xxxxxx>
- Date: Tue Apr 24 02:07:16 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
----- Original Message -----
From: "Craig Napier" <craignapier@xxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Saturday, March 03, 2001 7:42 AM
Subject: [cobalt-users] Firewall/IPChains Rules - UPDATED
> Update to previously posted firewall script. This one adds support for
> *client* side SMTP, which you may want if forms are to send out replys
> (e.g., thank you messages from submissions). :-)
>
> Craig
>
>
> #!/bin/sh
>
> # Script generated Fri Mar 2 05:15:12 2001
>
>
> #
> --------------------------------------------------------------------------
--
> # Copyright (C) 1997, 1998, 1999, 2000 Robert L. Ziegler
> #
> # Permission to use, copy, modify, and distribute this software and its
> # documentation for educational, research, private and non-profit
purposes,
> # without fee, and without a written agreement is hereby granted.
> # This software is provided as an example and basis for individual
firewall
> # development. This software is provided without warranty.
> #
> # Any material furnished by Robert L. Ziegler is furnished on an
> # "as is" basis. He makes no warranties of any kind, either expressed
> # or implied as to any matter including, but not limited to, warranty
> # of fitness for a particular purpose, exclusivity or results obtained
> # from use of the material.
> #
> --------------------------------------------------------------------------
--
>
> # /etc/rc.d/rc.firewall
> # Invoked from /etc/rc.d/rc.local.
>
> echo "Starting firewalling... "
>
> #
> --------------------------------------------------------------------------
--
> # Some definitions for easy maintenance.
> # EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
>
> EXTERNAL_INTERFACE="eth0" # Internet connected interface
> LOOPBACK_INTERFACE="lo" # or your local naming convention
>
> IPADDR="any/0" # your IP address
>
> ANYWHERE="any/0" # match any IP address
>
> NAMESERVER_1="any/0" # everyone must have at least one
>
> SMTP_SERVER="any/0" # Your ISP mail gateway. Your
relay.
>
> LOOPBACK="127.0.0.0/8" # reserved loopback address range
> CLASS_A="10.0.0.0/8" # class A private networks
> CLASS_B="172.16.0.0/12" # class B private networks
> CLASS_C="192.168.0.0/16" # class C private networks
> CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
> CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
> BROADCAST_SRC="0.0.0.0" # broadcast source address
> BROADCAST_DEST="255.255.255.255" # broadcast destination address
> PRIVPORTS="0:1023" # well known, privileged port
range
> UNPRIVPORTS="1024:65535" # unprivileged port range
>
> #
> --------------------------------------------------------------------------
--
>
> NFS_PORT="2049" # (TCP/UDP) NFS
> SOCKS_PORT="1080" # (TCP) Socks
> OPENWINDOWS_PORT="2000" # (TCP) openwindows
>
> # X Windows port allocation begins at 6000 and increments to 6063
> # for each additional server running.
> XWINDOW_PORTS="6000:6063" # (TCP) X windows
>
> # The SSH client starts at 1023 and works down to 513 for each
> # additional simultaneous connection originating from a privileged port.
> # Clients can optionally be configured to use only unprivileged ports.
> SSH_LOCAL_PORTS="1022:65535" # port range for local clients
> SSH_REMOTE_PORTS="513:65535" # port range for remote clients
>
> # traceroute usually uses -S 32769:65535 -D 33434:33523
> TRACEROUTE_SRC_PORTS="32769:65535"
> TRACEROUTE_DEST_PORTS="33434:33523"
>
> #
> --------------------------------------------------------------------------
--
> # Default policy is DENY
> # Explicitly accept desired INCOMING & OUTGOING connections
>
> # Remove all existing rules belonging to this filter
> ipchains -F
>
> # Set the default policy of the filter to deny.
> ipchains -P input DENY
> ipchains -P output REJECT
> ipchains -P forward DENY
>
> #
> --------------------------------------------------------------------------
--
>
> # Enable TCP SYN Cookie Protection
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Enable always defragging Protection
> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
>
> # Enable broadcast echo Protection
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Enable bad error message Protection
> echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
>
> # Enable IP spoofing protection
> # turn on Source Address Verification
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> # Disable ICMP Redirect Acceptance
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
> echo 0 > $f
> done
>
> # Disable Source Routed Packets
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> # Log Spoofed Packets, Source Routed Packets, Redirect Packets
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 1 > $f
> done
>
>
> #
> --------------------------------------------------------------------------
--
> # LOOPBACK
>
> # Unlimited traffic on the loopback interface.
>
> ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
> ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
>
> #
> --------------------------------------------------------------------------
--
> # Network Ghouls
>
> # Deny access to jerks
> # --------------------
> # /etc/rc.d/rc.firewall.blocked contains a list of
> # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY
> # rules to block from any access.
>
> # Refuse any connection from problem sites
> if [ -f /etc/rc.d/rc.firewall.blocked ]; then
> . /etc/rc.d/rc.firewall.blocked
> fi
>
> #
> --------------------------------------------------------------------------
--
> # SPOOFING & BAD ADDRESSES
> # Refuse spoofed packets.
> # Ignore blatantly illegal source addresses.
> # Protect yourself from sending to bad addresses.
> #
> # # Refuse incoming packets pretending to be from the external address.
> # ipchains -A input -s $IPADDR -j DENY -l
> #
> # Refuse incoming packets claiming to be from a Class A, B or C
private
> network
> ipchains -A input -s $CLASS_A -j DENY
> ipchains -A input -s $CLASS_B -j DENY
> ipchains -A input -s $CLASS_C -j DENY
>
> # Refuse broadcast address SOURCE packets
> ipchains -A input -s $BROADCAST_DEST -j DENY
> ipchains -A input -d $BROADCAST_SRC -j DENY
>
> # Refuse Class D multicast addresses
> # Multicast is illegal as a source address.
> # Multicast uses UDP.
> ipchains -A input -s $CLASS_D_MULTICAST -j DENY
>
> # Refuse Class E reserved IP addresses
> ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l
>
> # Refuse special addresses defined as reserved by the IANA.
> # Note: The remaining reserved addresses are not included.
> # Filtering them causes problems as reserved blocks are
> # being allocated more often now.
>
> # Note: this list includes the loopback, multicast, & reserved
> addresses.
>
> # 0.*.*.* - Can't be blocked for DHCP users.
> # 127.*.*.* - LoopBack
> # 169.254.*.* - Link Local Networks
> # 192.0.2.* - TEST-NET
> # 224-255.*.*.* - Classes D & E, plus unallocated.
>
> ipchains -A input -s 0.0.0.0/8 -j DENY -l
> ipchains -A input -s 127.0.0.0/8 -j DENY -l
> ipchains -A input -s 169.254.0.0/16 -j DENY -l
> ipchains -A input -s 192.0.2.0/24 -j DENY -l
> ipchains -A input -s 224.0.0.0/3 -j DENY -l
>
> #
> --------------------------------------------------------------------------
--
> # NOTE:
> # The symbolic names used in /etc/services for the port numbers vary
by
> # supplier. Using them is less error prone and more meaningful,
> though.
>
> #
> --------------------------------------------------------------------------
--
> # TCP UNPRIVILEGED PORTS
> # Avoid ports subject to protocol & system administration problems.
>
> # NFS: establishing a TCP connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $NFS_PORT -j DENY -l
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $NFS_PORT -j REJECT
>
> # openwindows: establishing a connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $OPENWINDOWS_PORT -j DENY -l
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $OPENWINDOWS_PORT -j REJECT
>
>
> # Xwindows: establishing a connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $XWINDOW_PORTS -j DENY -l
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $XWINDOW_PORTS -j REJECT
>
> # SOCKS: establishing a connection
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $SOCKS_PORT -j DENY -l
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
> --destination-port $SOCKS_PORT -j REJECT
>
> #
> --------------------------------------------------------------------------
--
> # UDP UNPRIVILEGED PORTS
> # Avoid ports subject to protocol & system administration problems.
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $NFS_PORT -j DENY -l
>
> # UDP INCOMING TRACEROUTE
> # traceroute usually uses -S 32769:65535 -D 33434:33523
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --source-port $TRACEROUTE_SRC_PORTS \
> --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l
>
>
> # DNS server (53)
> # ---------------
>
> # DNS: full server
> # ----------------
>
> # server/client to server query or response
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 53 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR 53 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR 53 \
> --destination-port 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --source-port 53 \
> -d $IPADDR 53 -j ACCEPT
>
>
> # DNS client (53)
> # ---------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $NAMESERVER_1 53 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $NAMESERVER_1 53 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # HTTP server (80)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 80 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 80 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # HTTP client (80)
> # ----------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 80 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 80 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>
> # ADMIN server (81)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 81 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 81 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # HTTPS server (443)
> # ------------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 443 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 443 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # HTTPS client (443)
> # ------------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 443 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 443 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # POP server (110)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 110 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 110 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # SMTP server (25)
> # ----------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 25 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 25 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # SMTP client (25)
> # ----------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> -d $SMTP_SERVER 25 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $SMTP_SERVER 25 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # ------------------------------------------------------------------
>
> # SSH server (22)
> # ---------------
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $SSH_REMOTE_PORTS \
> -d $IPADDR 22 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 22 \
> --destination-port $SSH_REMOTE_PORTS -j ACCEPT
>
>
> # SSH client (22)
> # ---------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $SSH_LOCAL_PORTS \
> --destination-port 22 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 22 \
> -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT
>
> # # ------------------------------------------------------------------
> #
> # # TELNET server (23)
> # # ------------------
> # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> # --source-port $UNPRIVPORTS \
> # -d $IPADDR 23 -j ACCEPT
> #
> # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> # -s $IPADDR 23 \
> # --destination-port $UNPRIVPORTS -j ACCEPT
> #
> # ------------------------------------------------------------------
>
> # AUTH server (113)
> # -----------------
>
> # Accept incoming connections to identd but disable in.identd in
> inetd.conf.
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 113 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 113 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # AUTH client (113)
> # -----------------
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 113 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 113 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> # # ------------------------------------------------------------------
> #
> # # WHOIS client (43)
> # # -----------------
> # ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> # -s $IPADDR $UNPRIVPORTS \
> # --destination-port 43 -j ACCEPT
> #
> # ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> # --source-port 43 \
> # -d $IPADDR $UNPRIVPORTS -j ACCEPT
> #
> # ------------------------------------------------------------------
>
> # FTP server (21)
> # ---------------
>
> # incoming request
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 21 -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR 21 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # PORT MODE data channel responses
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR 20 \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port $UNPRIVPORTS \
> -d $IPADDR 20 -j ACCEPT
>
>
> # PASSIVE MODE data channel responses
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port $UNPRIVPORTS \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
>
> # FTP client (21)
> # ---------------
>
> # outgoing request
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 21 -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port 21 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
>
> # PORT mode data channel
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --source-port 20 \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port 20 -j ACCEPT
>
>
> # PASSIVE mode data channel creation
> ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
> -s $IPADDR $UNPRIVPORTS \
> --destination-port $UNPRIVPORTS -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
> --source-port $UNPRIVPORTS \
> -d $IPADDR $UNPRIVPORTS -j ACCEPT
>
> #
> --------------------------------------------------------------------------
--
> # ICMP
>
> # To prevent denial of service attacks based on ICMP bombs, filter
> # incoming Redirect (5) and outgoing Destination Unreachable (3).
> # Note, however, disabling Destination Unreachable (3) is not
> # advisable, as it is used to negotiate packet fragment size.
>
> # For bi-directional ping.
> # Message Types: Echo_Reply (0), Echo_Request (8)
> # To prevent attacks, limit the src addresses to your ISP range.
> #
> # For outgoing traceroute.
> # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded
(11)
> # default UDP base: 33434 to base+nhops-1
> #
> # For incoming traceroute.
> # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded
(11)
> # To block this, deny OUTGOING 3 and 11
>
> # 0: echo-reply (pong)
> # 3: destination-unreachable, port-unreachable, fragmentation-needed,
> etc.
> # 4: source-quench
> # 5: redirect
> # 8: echo-request (ping)
> # 11: time-exceeded
> # 12: parameter-problem
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type echo-reply \
> -d $IPADDR -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type destination-unreachable \
> -d $IPADDR -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type source-quench \
> -d $IPADDR -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type time-exceeded \
> -d $IPADDR -j ACCEPT
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type parameter-problem \
> -d $IPADDR -j ACCEPT
>
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR fragmentation-needed -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR source-quench -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR echo-request -j ACCEPT
>
> ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
> -s $IPADDR parameter-problem -j ACCEPT
>
> #
> --------------------------------------------------------------------------
--
> # Enable logging for selected denied packets
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 0:19 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 24 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 26:78 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 81:109 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 112 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 114:136 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 140:142 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 144:442 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
> --destination-port 444:1023 -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port 0:110 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port 112:160 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port 163:634 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port 636:1023 -j DENY -l
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
> --destination-port $UNPRIVPORTS -j DENY -l
>
>
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 5 -j DENY -l
> ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
> --icmp-type 13:255 -j DENY -l
>
> ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT
>
> #
> --------------------------------------------------------------------------
--
>
> echo "done"
>
> exit 0
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>