[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Edlug Archive Jan 2003 ]

Re: [edlug] loading kernel modules



Hi,

Is there any chance you could set up your email to line-wrap at 72
lines, and to quote stuff you're replying to with the usual "> " at the
start of the lines?  It's hard to reply to your email when there's no
sign of what is the actual content of that mail, and what is just
quoted.

On Sun, 2003-01-12 at 23:11, Edmund Strangely wrote:

> iptables is running, but everything is set to accept. I have read the HOWTO and man iptables, and I think I should set policies on the INPUT chains to drop, which should mean that packets not explicitly accepted by the chain will be dropped, is that right?

Yep.  How you set it up is up to you, though.  Most firewalls will want
either a DROP policy, or to have the last active rule on the table be a
wildcard drop rule.  Neither way is inherently better than the other ---
for example, you might want the default policy to be to both drop the
packet and log it, and you can only achieve the logging by having an
explicit rule for that at the end of your firewall chain.

> I think I should also set the FORWARD policy to drop, as this is said to be the default in the HOWTO, but I don't really know what forwarding does. Any clues?

It's for packet forwarding, a.k.a. routing.  If you aren't routing
packets, that chain is ignored.  Packet forwarding is enabled by setting
/proc/net/ipv4/ip_forward to non-zero.  It defaults to zero.  On Red Hat
systems, you should change this by editing /etc/sysctl.conf.

> Is there a problem with setting OUTPUT to generally accept?

Depends on how paranoid you are!

> Then I'd need to set the INPUT rules that I want. I want to enable ssh, but nothing else, to connect to my machine from the internet, except possibly ping, but I think I can accept any connection from my lan, does that seem reasonable? Could the first part be achieved by only allowing external connections to port 22, or is there a special way of telling what type of connection, ie ssh or something else, is being attempted?

No, you can't tell the protocol without first accepting the packets. 
However, if you are running sshd on port 22, then anybody attempting any
other sort of connection on that port is going to find themselves out of
luck. :)

> Also, do I need to know what udp and icmp are?

Yes.  You really should look into a firewall HOWTO about that, because
there are certain ICMPs that you really do need to let through the
firewall, at least for active connections.  ICMP packets describe
unexpected or error conditions, and they can describe problems on
particular TCP connections.  TCP won't run properly without those ICMP
messages, and if you block them, you won't see "host unreachable" and
similar errors properly, and "path MTU discovery" (a way of finding out
the best packet size when talking to a given host) won't work.

Cheers,
 Stephen

-----------------------------------------------------------------------
You can find the EdLUG mailing list FAQ list at:
http://www.edlug.org.uk/list_faq.html



This archive is kept by wibble@morpheux.org.DONTSPAMME
homepage