also sprach Philipp Snizek (on Tue, 26 Dec 2000 04:16:58PM +0100):
-N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted
Why not write
-A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ?
i only use this while debugging so that i can quickly add the -l flag to all rules that are being accepted, or do whatever else i wish to all the denied packets and so on. it's mere convenience.
-A ie-out -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-out -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The output chains for ippp0 to the internet.
"ie" means internal to external, out means output, so yes.
-A ie-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
almost. these are packets coming from a local host with a destination on the internet. packets arriving at the firewall can either be for itself, or to be forwarded (ii-in and ie-in respectively).
-A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted
these are packets from the internet for the firewall or for the demasquerading process.
This is the input chains on your ext device (ippp0). Open like the gate of a barn for trojans. Here's a link: http://www.simovits.com/nyheter9902.html
well, but i can't see a simple way to close it while basically keeping the firewall as transparent as possible from the inside... my family is not much in favor that they cannot be using a simple modem like everyone but must use the LAN to get email, surf, icq, and all the other jingle sheit. so the last thing they want is a firewall that tells them that they cannot use ftp...
-A ii-out -j accepted
anything sent by the firewall to the local network.
-A ei-in -p 1 -j denied Please allow at least icmp dest unreach.
done. give me another week or two and i will send you the new code. i am meeting my swiss (!) girlfriend for skiing tomorrow and won't be touching a computer for a week!
-A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat?
i don't know. this rule started out in my college network when i was so annoyed at our network admins to be misconfiguring expensive cisco equipment to a point where there were igmp broadcasts multiple times a second (at times) and in my revolutionary something i decided to deny them... probably not much help. but then again, i am sure igmp could be used somehow... maybe for DoS attacks...
-A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted It seems that your packetfilter box receives its IP address from dhcp/bootp server or is itself a dhcp/bootp box. Do you run xinetd or have you got your dhcp bound on your int device?
dhcpd is running without inetd, and yes, it's bound to the local interface only. the firewall is the dhcp server for the local network. where in switzerland are you btw? martin [greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- "when I was a boy I was told that anybody could become president. now i'm beginning to believe it." -- clarence darrow