| 1 |
Conny R. Landstedt wrote: |
| 2 |
|
| 3 |
>To Kim Nielsen & Gentoo-dev |
| 4 |
> |
| 5 |
>In the "Gentoo Linux Security Guide" |
| 6 |
> |
| 7 |
> |
| 8 |
>>Code listing 64: /etc/init.d/firewall |
| 9 |
>> #Incoming traffic |
| 10 |
>> einfo "Creating incoming ssh traffic chain" |
| 11 |
>> $IPTABLES -N allow-ssh-traffic-in |
| 12 |
>> $IPTABLES -F allow-ssh-traffic-in |
| 13 |
>> $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT |
| 14 |
>> |
| 15 |
>> |
| 16 |
> |
| 17 |
>I'm not absolutely certain, but shouldn't it be "--dport" instead of |
| 18 |
>"--sport"? |
| 19 |
> |
| 20 |
>Reg. Conny |
| 21 |
> |
| 22 |
>_______________________________________________ |
| 23 |
>gentoo-dev mailing list |
| 24 |
>gentoo-dev@g.o |
| 25 |
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
| 26 |
> |
| 27 |
> |
| 28 |
> |
| 29 |
I believe that the line is for ssh-traffic in.. wich means.. that you |
| 30 |
connect to a server in the internet to the ssh port.. |
| 31 |
and the rule makes it "allowable" for you to recieve the traffic that |
| 32 |
comes from the server.. |
| 33 |
(otherwise you wouldn't be able to use the session because you would |
| 34 |
drop everything that comes from the server to you) |
| 35 |
|
| 36 |
But that's shouldn't be needed it one uses a statefull firewall like |
| 37 |
iptables... |
| 38 |
In my "home made" firewall.. I have this: |
| 39 |
# Accept established connections and related ones |
| 40 |
$IPT -A NET -m state --state ESTABLISHED,RELATED -j ACCEPT |
| 41 |
where NET represents every INPUT from the internet (network device wich |
| 42 |
goes to the net) |
| 43 |
so..since I accept outgoing connections to ssh(it's also in the |
| 44 |
firewall), whenever I iniciate a ssh connection to the outside it |
| 45 |
becomes accepted. |
| 46 |
|
| 47 |
I'm not shure that the "allow-ssh-traffic-in" is what i've just said, |
| 48 |
it's a guess since I don't know/use that firewall, but if it is, I |
| 49 |
believe that something like accepting the outgoing connection & using |
| 50 |
that " --state ESTABLISHED,RELATED" would make the rule set cleaner |
| 51 |
and easyer to manage... |
| 52 |
|
| 53 |
«just my two euro cents» |
| 54 |
|
| 55 |
And by the way, anyone was able to get dcc send and receive working with |
| 56 |
masquerading with iptables? |
| 57 |
|
| 58 |
Miguel Sousa Filipe |
| 59 |
Gentoo user since November 2001 ;-) |
| 60 |
|
| 61 |
p.s.: if anyone want's to see my rule set it's in: |
| 62 |
|
| 63 |
URL: http://mega.ist.utl.pt/~mmsf/configs/rc.icewall |
Archives