1 |
Conny R. Landstedt wrote: |
2 |
|
3 |
>To Kim Nielsen & Gentoo-dev |
4 |
> |
5 |
>In the "Gentoo Linux Security Guide" |
6 |
> |
7 |
> |
8 |
>>Code listing 64: /etc/init.d/firewall |
9 |
>> #Incoming traffic |
10 |
>> einfo "Creating incoming ssh traffic chain" |
11 |
>> $IPTABLES -N allow-ssh-traffic-in |
12 |
>> $IPTABLES -F allow-ssh-traffic-in |
13 |
>> $IPTABLES -A allow-ssh-traffic-in -p tcp --sport ssh -j ACCEPT |
14 |
>> |
15 |
>> |
16 |
> |
17 |
>I'm not absolutely certain, but shouldn't it be "--dport" instead of |
18 |
>"--sport"? |
19 |
> |
20 |
>Reg. Conny |
21 |
> |
22 |
>_______________________________________________ |
23 |
>gentoo-dev mailing list |
24 |
>gentoo-dev@g.o |
25 |
>http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
26 |
> |
27 |
> |
28 |
> |
29 |
I believe that the line is for ssh-traffic in.. wich means.. that you |
30 |
connect to a server in the internet to the ssh port.. |
31 |
and the rule makes it "allowable" for you to recieve the traffic that |
32 |
comes from the server.. |
33 |
(otherwise you wouldn't be able to use the session because you would |
34 |
drop everything that comes from the server to you) |
35 |
|
36 |
But that's shouldn't be needed it one uses a statefull firewall like |
37 |
iptables... |
38 |
In my "home made" firewall.. I have this: |
39 |
# Accept established connections and related ones |
40 |
$IPT -A NET -m state --state ESTABLISHED,RELATED -j ACCEPT |
41 |
where NET represents every INPUT from the internet (network device wich |
42 |
goes to the net) |
43 |
so..since I accept outgoing connections to ssh(it's also in the |
44 |
firewall), whenever I iniciate a ssh connection to the outside it |
45 |
becomes accepted. |
46 |
|
47 |
I'm not shure that the "allow-ssh-traffic-in" is what i've just said, |
48 |
it's a guess since I don't know/use that firewall, but if it is, I |
49 |
believe that something like accepting the outgoing connection & using |
50 |
that " --state ESTABLISHED,RELATED" would make the rule set cleaner |
51 |
and easyer to manage... |
52 |
|
53 |
«just my two euro cents» |
54 |
|
55 |
And by the way, anyone was able to get dcc send and receive working with |
56 |
masquerading with iptables? |
57 |
|
58 |
Miguel Sousa Filipe |
59 |
Gentoo user since November 2001 ;-) |
60 |
|
61 |
p.s.: if anyone want's to see my rule set it's in: |
62 |
|
63 |
URL: http://mega.ist.utl.pt/~mmsf/configs/rc.icewall |