Firewall netiquette

Matthew Burgess ca9mbu at hermes.sunderland.ac.uk
Tue Jul 15 07:13:03 PDT 2003


On Tue, 15 Jul 2003 11:59:02 +0000 (UTC)
markh at linuxfromscratch.org (Mark Hymers) wrote:

> On Tue, 15, Jul, 2003 at 09:53:52AM +0100, Matthew Burgess spoke
> thus..
> > My question now is: Is
> > dropping packets at my own discretion going to infuriate my fellow
> > netizens - i.e. should they reasonably expect to be able to get any
> > packets they send through successfully?
> 
> Nope.
> 
> If you're not providing a service on those ports then you're quite
> right to block them.  In fact, you'd be better off with something
> like:
> 
> iptables -P INPUT DROP
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
> i.e. dropping all the packets, then allowing RELATED and ESTABLISHED
> packets through then add extra lines to just open the ports you need
> to allow access to.

Yeah I thought of doing that (it's how my Windows firewall is configured
at the moment) but the personal firewall given in BLFS just logs the
packets that aint established/related rather than dropping them.

> 
> So, for ssh
> iptables -A INPUT -i eth0 -p tcp -d $LOCALIP --dport 22 -j ACCEPT
> 
> Remember: That which is not specifically allowed is denied :-)

Thanks for your guidance,

Matt.
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-chat' in the subject header of the message



More information about the lfs-chat mailing list