RE: [suse-security] *WANTED: ipchains guru*
Guess I should have made that a little clearer ;). I am wanting to figure this out from scratch. I am trying to break out of the *Windows Only* frame that I am in concerning security that I recommend to clients. Right now, I recommend Raptor, Firewall-1, or MS Proxy depending upon the situation. Being able to configure ipchains from scratch would be a great solution for clients on a limited budget. Thanks for the reply though! CK -----Original Message----- From: robert@texas.net [mailto:robert@texas.net]On Behalf Of Robert C. Paulsen, Jr. Sent: Tuesday, March 14, 2000 8:04 PM To: KULISHdotCOM Subject: Re: [suse-security] *WANTED: ipchains guru* KULISHdotCOM wrote:
Looking for someone to take a look at my ipchains script. I don't want to post it on the list as it is kind of long. A little background is in
order.
I want to setup an ipchains firewall to do the following:
Deny everythind that is not explicitly allowed.
I have a server sitting behind it that will host pop3, smtp, www, and ftp
so
I will need to forward all these ports.
I want to allow everyone on the local network to ANYTHING out on the internet.
I want to log any denials and protect against IP spoofing (and anything else that might be dangerous).
If anyone is willing to help, I will send them my annotated script to take a look at. I do realize that some things are missing (probably the stuff I need help on).
I have read all the HOW-TOs that I can find but something isn't clicking.
I would start here: ftp://ftp.suse.com/pub/suse/i386/update/6.3/sec1/firewals.rpm It will take a little thought and work to get it set up, but not as much as trying to do the whole thing yourself. -- ____________________________________________________________________ Robert Paulsen If my return address contains "ZAP." please remove it. Sorry for the inconvenience but the unsolicited email is getting out of control.
* KULISHdotCOM wrote on Tue, Mar 14, 2000 at 20:11 -0600:
Guess I should have made that a little clearer ;).
Guess you're right ;) Well, I'm not an ipchains guru or so, but I'll try to answer anyway...
I am wanting to figure this out from scratch.
Yepp, that's not a bad way...
I recommend [...] MS Proxy depending upon the situation.
BTW: Have you ever seen such a situation ?? :) SCNR.
Being able to configure ipchains from scratch would be a great solution for clients on a limited budget.
Well, so just do it :) ipchains should come with a man page describing the syntax you have to use. You want to reject/deny everything not exlicitly allowed, so you would set up your default policy as reject/deny (ipchains -P). If you start with flushed chains (ipchains -F), you need to append your rules only (ipchains -A .... -j ACCEPT). Finally you want to log all rejected packet. So you append a log rule at last (i.e. ipchains -A -l -j REJECT). If you have problems that are more specific, or some error messages or so, you would get more informations here I think ;) I don't know anything about the SuSE Scripts (once upon a time I took a look and could understand it just in time - so it was not my choice for security). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
fmmarzoa@vivaldi:~ > rpm -ql ipchains | grep ps /usr/doc/packages/ipchains/ipchains-quickref.ps fmmarzoa@vivaldi:~ > Try that document too, it was *a lot* of useful for me (I didn't need more information). Steffen Dettmer wrote:
* KULISHdotCOM wrote on Tue, Mar 14, 2000 at 20:11 -0600:
Guess I should have made that a little clearer ;).
Guess you're right ;) Well, I'm not an ipchains guru or so, but I'll try to answer anyway...
I am wanting to figure this out from scratch.
Yepp, that's not a bad way...
I recommend [...] MS Proxy depending upon the situation.
BTW: Have you ever seen such a situation ?? :) SCNR.
Being able to configure ipchains from scratch would be a great solution for clients on a limited budget.
Well, so just do it :) ipchains should come with a man page describing the syntax you have to use. You want to reject/deny everything not exlicitly allowed, so you would set up your default policy as reject/deny (ipchains -P). If you start with flushed chains (ipchains -F), you need to append your rules only (ipchains -A .... -j ACCEPT). Finally you want to log all rejected packet. So you append a log rule at last (i.e. ipchains -A -l -j REJECT). If you have problems that are more specific, or some error messages or so, you would get more informations here I think ;)
I don't know anything about the SuSE Scripts (once upon a time I took a look and could understand it just in time - so it was not my choice for security).
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45
participants (3)
-
Francisco M. Marzoa Alonso -
KULISHdotCOM -
Steffen Dettmer