Re: iptables & tcp wrappers

From: TJ Easter (tjeaster_at_gmail.com)
Date: 10/11/04

  • Next message: Ben Nelson: "Idle session logout"
    Date: Mon, 11 Oct 2004 14:15:28 -0400
    To: focus-linux@securityfocus.com, bugtraq@planetcobalt.net
    
    

    On Mon, 4 Oct 2004 00:06:35 +0200, Ansgar -59cobalt- Wiechers
    <bugtraq@planetcobalt.net> wrote:
    > On 2004-09-28 TJ Easter wrote:
    > > I've found it quite helpful to create a shell script to load the
    > > firewall rules. The first line of the script blows away all rules
    > > (iptables -F), then it proceeds to load the rules below that.
    >
    > The first line(s) should define the default policy (most likely DROP),
    > before flushing the chains. Otherwise the box may be open until the
    > rules are defined.
    >
    >
    >
    > Regards
    > Ansgar Wiechers
    > --
    > "Those who would give up liberty for a little temporary safety
    > deserve neither liberty nor safety, and will lose both."
    > --Benjamin Franklin
    >

    Ansgar,
        The reason I chose to load allow rules, followed by an explicit
    deny all as opposed to a deny policy is as for simplicity. When you
    issue "iptables -F" on the command line, you get the expected "allow
    all" behavior instead of having to flush *and* reset the policy.

    Unless you have a pretty hefty ruleset, the window of opportunity
    would be very small. I have since closed this window while still
    keeping the expected "allow all" behavior when flushing the rules.
    The first rule is to set the policy to DROP, load all rules, then
    after the explicit "deny all" rule, set the policy back to ACCEPT.

    Again, the script is available at http://tje.ssllink.net/firewall.tar.gz .

    Let me know if you find any issue with this behavior.

    Regards,
    TJ Easter

    -- 
    "Television is not an education."
    http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E
    

  • Next message: Ben Nelson: "Idle session logout"