Re: Basic IPTable filter
From: Mike (foor_at_bar.com)
Date: 06/24/03
- Previous message: Tino Didriksen: "Basic IPTable filter"
- In reply to: Tino Didriksen: "Basic IPTable filter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Jun 2003 15:12:38 GMT
"Tino Didriksen" <news@projectjj.dk> wrote in news:3ef868fc$0$76092
$edfadb0f@dread11.news.tele.dk:
> How secure would this setup be in a firewall sense?
>
> Incoming packets (INPUT)
> --Default action: Drop
> Accept If protocol is ICMP and rate is less than 5/sec
You can allow those from your ISP or NOC only (except if YOU are an ISP
;-)
> Accept If protocol is UDP and destination ports are 123
It's up to you ;-)
> Accept If protocol is TCP and destination ports are
> 80,21,22,25,110,443,225,995
I don't know what you have in port 225.
Your potential problem could be a vulnerability in any of the allowed
services, I presume that this firewall is protecting a DMZ and the
firewall host itself isn't running ANYTHING other than the firewall...
> Accept If state of connection is ESTABLISHED,RELATED
>
> Outgoing packets (OUTPUT)
> --Default action: Accept
If you don't want to be nasty to your users... ;-)
> Accept If rate is less than 2000/sec and burst rate is less than 2000
> Accept If protocol is ICMP and rate is less than 5/sec
> Drop If protocol is ICMP
Cheers,
-- Nekromancer "El nivel de conocimientos adquiridos es inversamente proporcional a la temperatura del cafe"
- Previous message: Tino Didriksen: "Basic IPTable filter"
- In reply to: Tino Didriksen: "Basic IPTable filter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
