Iptables initialization

Archaic archaic at indy.rr.com
Fri Feb 13 03:25:16 PST 2004


On Thu, Feb 12, 2004 at 10:48:26PM -0700, ken_i_m at elegantinnovations.net wrote:
> 
> This may work for a system where you are the sole admin but it does not 
> scale.  I work with a sysadmin who does as you do.  The print out of the 
> ruleset goes for pages.  Fortunately, the task of rewriting them has been 
> given to me.  Sanity will reign.

It works best in a multiple sysadmin situation, though. Like I said
originally, "if I make a bonehead mistake..." now becomes "if some other
bonehead makes a mistake..." There are many known exploited ports that
few, if any, would have reason to open. That said, typos occur. My
entire post-network-up firewall script ruleset is only 89 lines (for the
rules only, not counting commenting or blank lines). I can't seem to
consider that overly excessive, plus there is much in my script (since I
comment and format heavily) that would be good for some to be
specifically aware of. Here's an example:

# Block TCP and UDP on port numbers that are commonly attacked
# (obviously, if you need one of these, don't block it)
# Port                          Service
# ----                          -------
# 0                             reserved
# 1                             tcpmux
# 13                            daytime
# 98                            linuxconf
# 111                           sunrpc (portmap)
# 137:139, 445                  Microsoft
# 161:162                       SNMP
# 512:515                       rexec, rlogin, rsh, lpd
# 517:518                       talk, ntalk
# 520                           RIP
# 1080                          Socks proxy server
# 3128, 8000, 8008, 8080        Squid flotilla
# 1214                          Morpheus / KaZaA
# 2049                          NFS
# 6000                          X (X over ssh is secure and runs on port 22)
# 6112                          Sun's/HP's CDE
# 9000                          Sangoma T1/E1 card control

Some are blocked specifically for egress protection, as well.

-- 
Archaic

Government is actually the worst failure of civilized man. There has
never been a really good one, and even those that are most tolerable are
arbitrary, cruel, grasping and unintelligent.

- H. L. Mencken




More information about the hlfs-dev mailing list