Martin, I'm not absolutely sure about what I write you here because I never have worked before with the -N option. But ## chain: accepted ## all packets that are being accepted -N accepted -A accepted -j ACCEPT -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 25:25 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 53:53 -p 17 -j accepted -A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted -A ii-in -b -d 0.0.0.0/0 80:80 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 110:110 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 515:515 -p 6 -j accepted -A ii-in -b -d 0.0.0.0/0 8080:8080 -p 6 -j accepted seems to be very much pleonasm. Dual acceptance. What for? Why not writing it -A ii-in -b -d 0.0.0.0/0 22:22 -p 6 -j ACCEPT ? The same with DENY, MASQ and REJECT. I know, you don't want to switch between CAPITALS and the small letters when defining new rules. About 22:22, 25:25 and so on we already talked. Quick analysis (please correct me if I'm wrong): -A ie-out -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-out -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The output chains for ippp0 to the internet. -A ie-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ie-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted The input chains for internal network to internal network adapter in your firewall box. -A ei-in -d 0.0.0.0/0 1024:65535 -p 6 -j accepted -A ei-in -d 0.0.0.0/0 1024:65535 -p 17 -j accepted -A ii-out -j accepted This rule is internal eth to internal network. Everything is accepted. This is the input chains on your ext device (ippp0). Open like the gate of a barn for trojans. Here's a link: http://www.simovits.com/nyheter9902.html You have achieved full ftp functionality at the cost of the above comments. I consider it dangerous. -A ie-out -d 0.0.0.0/0 79:79 -p 6 -j accepted forget about finger. -A ei-in -p 1 -j denied Please allow at least icmp dest unreach. -A ei-in -p 2 -j denied Question to the group: Can igmp be a security threat? -A ii-in -b -d 0.0.0.0/0 67:68 -p 17 -j accepted It seems that your packetfilter box receives its IP address from dhcp/bootp server or is itself a dhcp/bootp box. Do you run xinetd or have you got your dhcp bound on your int device? Well, that's all for now. I don't see more. HTH Philipp BTW: I'll send you my more primitive firewall.
-----Ursprungliche Nachricht----- Von: 'MaD dUCK' [mailto:madduck@madduck.net] Gesendet: Montag, 25. Dezember 2000 11:40 An: Philipp Snizek Cc: suse-security@suse.com Betreff: [suse-security] ack, wrong ipchains (was: hack me! -- ipchains security)
man, i am so dumb... because i sent the wrong file out to the list. please let me try again and use only the attached file - these are my real ipchains rules...
sorry about that. martin
[greetings from the heart of the sun]# echo madduck@!#:1:s@\@@@.net -- sum quod eris.