Re: iptables & tcp wrappers
From: TJ Easter (tjeaster_at_gmail.com)
Date: Mon, 11 Oct 2004 14:15:28 -0400 To: firstname.lastname@example.org, email@example.com
On Mon, 4 Oct 2004 00:06:35 +0200, Ansgar -59cobalt- Wiechers
> On 2004-09-28 TJ Easter wrote:
> > I've found it quite helpful to create a shell script to load the
> > firewall rules. The first line of the script blows away all rules
> > (iptables -F), then it proceeds to load the rules below that.
> The first line(s) should define the default policy (most likely DROP),
> before flushing the chains. Otherwise the box may be open until the
> rules are defined.
> Ansgar Wiechers
> "Those who would give up liberty for a little temporary safety
> deserve neither liberty nor safety, and will lose both."
> --Benjamin Franklin
The reason I chose to load allow rules, followed by an explicit
deny all as opposed to a deny policy is as for simplicity. When you
issue "iptables -F" on the command line, you get the expected "allow
all" behavior instead of having to flush *and* reset the policy.
Unless you have a pretty hefty ruleset, the window of opportunity
would be very small. I have since closed this window while still
keeping the expected "allow all" behavior when flushing the rules.
The first rule is to set the policy to DROP, load all rules, then
after the explicit "deny all" rule, set the policy back to ACCEPT.
Again, the script is available at http://tje.ssllink.net/firewall.tar.gz .
Let me know if you find any issue with this behavior.
-- "Television is not an education." http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E