-N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted
Why not write
-A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ?
i only use this while debugging so that i can quickly add the -l flag to all rules that are being accepted, or do whatever else i wish to all the denied packets and so on. it's mere convenience.
I see. Good idea.
well, but i can't see a simple way to close it while basically keeping the firewall as transparent as possible from the inside... my family is not much in favor that they cannot be using a simple modem like everyone but must use the LAN to get email, surf, icq, and all the other jingle sheit. so the last thing they want is a firewall that tells them that they cannot use ftp...
My solution: (This is why I love Squid) Policy is set to forward=deny (seeing now I could also set input = deny. But output = deny would be a mistake). These here are my Proxy Rules for www, ftp and ssl. ipchains -A input -p tcp -s 10.0.0.0/24 1024:5000 -d 10.0.0.191/32 8008 -i eth1 -j ACCEPT ipchains -A input -p tcp -s ! 10.0.0.0/24 -d 212.232.168.183/32 1024:5000 -i eth0 -j ACCEPT # This rule makes the music ipchains -A output -p tcp -s 10.0.0.191/32 8008 -d 10.0.0.0/24 1024:5000 -i eth1 -j ACCEPT These below are my denial rules: # DENIALs ipchains -A input -i eth1 -j DENY -l ipchains -A output -i eth1 -j DENY -l ipchains -A input -i eth0 -j DENY -l # As well as this eth0 = ext eth eth1 = int eth Since this is the heart of my ipchains, you don't need the rest anymore. So I won't send it to you. The rest is uninteresting. The rest is DNS without forward rule (because of bind), pop and smtp with masqued forward rule and icmp ping, pong and dest unreach. Also some windows stuff like netbios, dhcp that is denied because I don't want to have my log full of senseless stuff. This config solved all my ftp problems. I can access all ftp that are also running in passive mode. There are very few ftp servers that are running in active mode only.
-A ii-out -j accepted
anything sent by the firewall to the local network.
-A ei-in -p 1 -j denied Please allow at least icmp dest unreach.
done. give me another week or two and i will send you the new code. i am meeting my swiss (!) girlfriend for skiing tomorrow and won't be touching a computer for a week!
Ok.
-A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat?
i don't know. this rule started out in my college network when i was so annoyed at our network admins to be misconfiguring expensive cisco equipment to a point where there were igmp broadcasts multiple times a second (at times) and in my revolutionary something i decided to deny them... probably not much help. but then again, i am sure igmp could be used somehow... maybe for DoS attacks...
I don't know. Post it as a question to the group. Answer may be interesting.
where in switzerland are you btw?
Reinach, AG. Between Aarau and Luzern. 50km west-south-west of Zurich. Philipp. PS: Are you somewhere from Bayern or Baden-Wurtemberg? you can't be far away if your girlfriend is Swiss.