1 |
Marco wrote: |
2 |
> On Fri, Apr 24, 2009 at 4:59 PM, Eric Martin <freak4uxxx@×××××.com> wrote: |
3 |
> |
4 |
>> Marco wrote: |
5 |
>> |
6 |
>>> Hi all, |
7 |
>>> |
8 |
>>> I set up my first firewall on my notebook (not running any services |
9 |
>>> reachable from outside) using iptables. Since I am new to the topic, |
10 |
>>> could you please verify if the output of 'iptables -L -v' is |
11 |
>>> considered to be a safe firewall? Thanks! |
12 |
>>> |
13 |
>>> Chain INPUT (policy DROP 0 packets, 0 bytes) |
14 |
>>> pkts bytes target prot opt in out source |
15 |
>>> destination |
16 |
>>> 0 0 ACCEPT all -- lo any anywhere |
17 |
>>> anywhere |
18 |
>>> 0 0 ACCEPT all -- eth0 any anywhere |
19 |
>>> anywhere state RELATED,ESTABLISHED |
20 |
>>> 0 0 REJECT tcp -- eth0 any anywhere |
21 |
>>> anywhere reject-with tcp-reset |
22 |
>>> 0 0 REJECT udp -- eth0 any anywhere |
23 |
>>> anywhere reject-with icmp-port-unreachable |
24 |
>>> 0 0 DROP udp -- eth0 any anywhere |
25 |
>>> anywhere udp spt:bootps |
26 |
>>> 0 0 LOG all -- eth0 any anywhere |
27 |
>>> anywhere LOG level warning prefix `INPUT ' |
28 |
>>> 1 79 ACCEPT all -- wlan0 any anywhere |
29 |
>>> anywhere state RELATED,ESTABLISHED |
30 |
>>> 0 0 REJECT tcp -- wlan0 any anywhere |
31 |
>>> anywhere reject-with tcp-reset |
32 |
>>> 0 0 REJECT udp -- wlan0 any anywhere |
33 |
>>> anywhere reject-with icmp-port-unreachable |
34 |
>>> 0 0 DROP udp -- wlan0 any anywhere |
35 |
>>> anywhere udp spt:bootps |
36 |
>>> 0 0 LOG all -- wlan0 any anywhere |
37 |
>>> anywhere LOG level warning prefix `INPUT ' |
38 |
>>> |
39 |
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) |
40 |
>>> pkts bytes target prot opt in out source |
41 |
>>> destination |
42 |
>>> 0 0 LOG all -- any any anywhere |
43 |
>>> anywhere LOG level warning prefix `FORWARD ' |
44 |
>>> 0 0 LOG all -- any any anywhere |
45 |
>>> anywhere LOG level warning prefix `FORWARD ' |
46 |
>>> |
47 |
>>> Chain OUTPUT (policy ACCEPT 5 packets, 1691 bytes) |
48 |
>>> pkts bytes target prot opt in out source |
49 |
>>> destination |
50 |
>>> 0 0 ACCEPT all -- any lo anywhere |
51 |
>>> anywhere |
52 |
>>> 0 0 LOG all -- any eth0 anywhere |
53 |
>>> anywhere LOG level warning prefix `OUTPUT ' |
54 |
>>> 1 52 LOG all -- any wlan0 anywhere |
55 |
>>> anywhere LOG level warning prefix `OUTPUT ' |
56 |
>>> |
57 |
>>> |
58 |
> |
59 |
<snip> |
60 |
> Sorry for the bad format. gmail decided to insert some sub ideal pagebreaks... |
61 |
> |
62 |
> Talking about the 1 log line at the bottom you mean I should configure |
63 |
> it to not specify an interface (eth0, wlan0)? |
64 |
> |
65 |
> Thanks! |
66 |
> |
67 |
> |
68 |
Yeah, not specifying an interface for the log rule to apply to will make |
69 |
it catch all interfaces (including lo but all traffic has already been |
70 |
approved ahead of time so it won't catch). |