[CS-FSLUG] Firewall fights
Stephen J. McCracken
smccracken at hcjb.org.ec
Wed Jan 25 15:41:10 CST 2006
> # Generated by iptables-save v1.2.11 on Wed Jan 25 14:49:33 2006
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [5835:2936213]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
> -A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
Well, Redhat puts all it's rules in one RH chain and then calls that
chain from both the INPUT and FORWARD (which you don't have) chains.
As you could probably already tell, this is not as tight as the other
firewall. This doesn't block any outgoing packets at all. It allows
all incoming icmp, multicast port 5353 (dns?), internet printing (udp
port 631 - cups?), ssh, and all return packets from internally initiated
connections.
Your other firewall dropped from source "no", several icmp types, didn't
allow port 631 or 5353 or the ipv6 above.
sjm
More information about the Christiansource
mailing list