[plug] INPUT chain

[Subba Rao]

Thank you very much for your input. I will tweak my INPUT chain. again
tommorrow. I am finishing up reading the HOWTO. It is begining to make a
lot of sense. My teammates tried to do port scans and were not successful
in getting much useful information. They got some info from "Syn probes".
Now I guess they can do some form of denial of service attack on this system.
That is the goal for Monday.

My LAN can access the Web server via ethernet. Web server cannot be
accessed from the Internet via ppp0 interface, which is good.

Thanks again.

Subba Rao
subb3 at ibm.net
==============================================================
Disclaimer - I question and speak for myself.

http://pws.prserv.net/truemax/
______________________________________________________________
On Sat, 28 Aug 1999 22:52:53 +0800, Leon Brooks wrote:

>Subba Rao wrote:
>> EXERCISE
>
>> For the modem interface, I setup the following rules,
>
>> $ ipchains -A input -i ppp0 -p 21 -j DENY
>> $ ipchains -A input -i ppp0 -p 23 -j DENY
>> $ ipchains -A input -i ppp0 -p 80 -j DENY
>> 
>> My goal in this exercise is to prevent outside telnet, ftp and www access
>> to my gateway.
>
>Try -d 0/0 21 (etc) instead of -p (which specifies soem (in this case
>very weird) protocol types).
>
>I prefer to do French Foreign Legion Policy:
>
>ipchains -P input DENY
>for port in 6000 443 80 53 (etc); do
>    ipchains -A input -j ACCEPT -i ppp0 -s 0/0 $port
>done
>
>I also block un-needed _outbound_ connects from low ports. If your
>intranet uses SMB (windows sharing) remember not to allow either TCP or
>UDP from ppp0 on ports 137-139 inclusive as SMB is *DESIGN*INSECURE*
>which means that it can't be fixed with mere firewalling, only blocked.
>Also block all connects to and from the BackOrifice and NetBus default
>ports, services like IRC (think of DCC'ed trojans), ICQ and anything
>else that your Windows users might run without thinking. (-: Starting
>with windows. :-)
>
>(The FFL manual starts with "You shall do nothing except...")
>