Note that this will prolly not have the exact effect you were looking for. his lines will make it so that "host.com" can ONLY touch port 21 on "your.host.com". Most services only use the the privledged/registered ports for initial contact, authentication, and/or negotiation of the data port (usually a userland port, though for FTP, it might be port 20). This is the problem with default deny firewall setups. In theory, the services could be re-written to make negotiated ports avialable to some kinda interface (/proc, perhaps?) which one could trigger dynamic, temporary firewall rules. we have a commercial firewall that does just that, and it works very well. -- ======================================================================== Rocky McGaugh Atipa Linux Solutions Linux Systems Engineer www.atipa.com rocky@smluc.org rmcgaugh@atipa.com ======================================================================== On Tue, 18 Jan 2000, John Grant wrote:
the webster said:
Is it possible to add a chain in ipchains so it will deny all traffic from a certain host but not on a special port ? For instance, I want to deny all traffic from host.com except if it tries to contact me on port 21, is it possible ?
Yes. You have to specify a protocol if you want to specify a port though, so if you want to block both udp and tcp you will need two rules:
ipchains -I input -p tcp -s host.com -d your.host.com ! 21 -j DENY ipchains -I input -p udp -s host.com -d your.host.com ! 21 -j DENY
Change "DENY" to "REJECT" as you prefer.
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/