[ale] Bob Toxen's iptables rules help needed

[Jim Seymour]

On Sun, Jun 19, 2005 at 04:39:25PM -0400, Dow Hurst wrote:
> Once I got the updated ruleset, my config worked well.  Bob's treatment 
> is pretty clear and gives examples of how to add a rule for an external 
> service you need to allow.  I felt comfortable with using that style of 
> chains.  There is no point for most configurations to have lot's of 
> chains as debugging or just understanding the ruleset can be such a 
> bear.  I also like the way he makes sure the rules block the path before 
> allowing traffic as the interfaces come up.  I've noticed many times 
> that ruleset will allow interfaces to come up and be accessible while 
> the rules are being configured.  It is only after the rules are 
> completely functional that the interfaces are really protected.  That 
> style of rules leaves you wide open initially for the time from 
> interfaces coming up to ruleset being configured.  What if you had a 
> problem with a rule and the script dumped out?  Then you'd have the 
> machine possibly wide open and available!
> Dow
> 

This is dead on the reason I wanted to use his setup. I had tried
several times to replace bastille and ipmasq with his rules and just
didn't think to check for errata on it. I did have to add one rule to
allow lo functionality, however other than that it is working great now.
I think I'll try crackertrap on down the road to see if I can get it
going on this Debian box.

Later,

Jim Seymour

-- 
I started using something better than the "standard" back when IBM advertised
OS/2 Warp on TV. As Linux matured I made the transition from OS/2 v4 to Linux.
You don't have to accept less than you deserve.
"Use the Power of the Penguin" Registered Linux user #316735