[ale] Bob Toxen's iptables rules help needed

Dow Hurst Dow.Hurst at mindspring.com
Sun Jun 19 16:50:30 EDT 2005


Once I got the updated ruleset, my config worked well.  Bob's treatment 
is pretty clear and gives examples of how to add a rule for an external 
service you need to allow.  I felt comfortable with using that style of 
chains.  There is no point for most configurations to have lot's of 
chains as debugging or just understanding the ruleset can be such a 
bear.  I also like the way he makes sure the rules block the path before 
allowing traffic as the interfaces come up.  I've noticed many times 
that ruleset will allow interfaces to come up and be accessible while 
the rules are being configured.  It is only after the rules are 
completely functional that the interfaces are really protected.  That 
style of rules leaves you wide open initially for the time from 
interfaces coming up to ruleset being configured.  What if you had a 
problem with a rule and the script dumped out?  Then you'd have the 
machine possibly wide open and available!
Dow


Jim Seymour wrote:

>On Sun, Jun 19, 2005 at 03:07:57PM -0400, Bob Toxen wrote:
>  
>
>>I've not had reports of problems from anyone else.
>>
>>Do check the errata:
>>
>>     http://www.realworldlinuxsecurity.com/errata.html
>>
>>as Dow suggested.  Also, check elsewhere in the Firewall chapter where
>>I give extensive advice on debugging IP Tables and IP Chains.  Do
>>double-check what you have done as well.
>>
>>    
>>
>
>Thanks for your reply Bob. I installed and configured the updated
>rc.fwsoho and in addition found I had a misconfigured WinXP box trying
>to access the Internet through it (broadcast). All is well and I can now
>move on with fun stuff :-)
>
>Have a great day all,
>Jim Seymour
>
>  
>



More information about the Ale mailing list