Arjen de Korte
2004-03-22 20:22:00 >>> On Monday 22 March 2004 09:05, Wilfred van Velzen wrote: Our policy is to let anything go out. ;-)
That's not a policy. That's unrestricted access by default and trying to plug all the holes you leave open. Rest assured, your users will find ways around your blockade in no time (there are plenty forwarders available). In time you'll find that closing everything by default and opening what's allowed to be far easier (and secure) to administrate.
This blockage was just to prevent accidental virus contaminations to bother the outside internet, not to prevent users to do certain things.
I changed this to:
iptables -A forward_int -s 192.168.0.1 -p tcp --dport 25 -j ACCEPT iptables -A forward_int -p tcp --dport 25 -j REJECT
Because our email server needs to be able to go through!
Since you have left everything wide open, you could put all of this in one line:
iptables -A forward_int -s ! 192.168.0.1/32 -p tcp --dport 25 -j DROP
It is almost always better to DROP connections, than to REJECT them. Since the SuSEfirewall2 scripts provides a pretty CPU intensive set of rules by default, it makes sense to keep your own additions as limited as
Ok. Do I need to specify the interface here? Or won't this prevent smtp connections from the outside to reach the mailserver on the inside? possible. On the outside sure, but on the inside of a firewall? I want to keep the machine's on the inside running as fast as possible. Dropping might slow them down a bit... Met vriendelijke groet / Best regards, Wilfred van Velzen -- SERCOM Regeltechniek b.v. Heereweg 9 2161 AB Lisse Nederland +31 (0)252 416530 (voice) +31 (0)252 419481 (fax) http://www.sercom.nl/ Op al onze offertes, op alle opdrachten aan ons en op alle met ons gesloten overeenkomsten zijn toepasselijk de METAALUNIEVOORWAARDEN, gedeponeerd ter Griffie van de Rechtbank te Rotterdam, zoals deze luiden volgens de laatstelijk aldaar neergelegde tekst. De leveringsvoorwaarden worden u op verzoek toegezonden.