Re: Iptables Clues and Advices.

[Pierre BETOUIN <info16 () ifrance com>]

Le ven 04/04/2003 à 14:06, Christian Friedl a écrit :
> Nahual Guerrero <nahual () axis org> writes on 
> Wed, 02 Apr 2003 22:55:55 +0200 (METDST):
>
>
> > > >
>
> my $iptfh = 'iptables -F';
> my $iptin = 'iptables -A INPUT -j DROP -p tcp -s ! 127.0.0.0/255.255.255.0 
> --destination-port';
> my $iptil = 'iptables -A INPUT -j LOG -p tcp -s ! 127.0.0.0/255.255.255.0 
> --destination-port';
> my $iptol = 'iptables -A OUTPUT -j LOG';
> my $iptfl = 'iptables -A FORWARD -j LOG';
>
> system ("clear");
> print "Tirando de la Cadena....\n";
>
> > > >
>
>
> Hm... well first off, it's always better to change the default
> rule of the table to REJECT 
DROP would be better there because you don't need to prevent attackers
that this port is filtered.

> and only after that allow the ports you actually use. I know... it's a lot of work, but far more secure, and
> you learn an awful lot (like not to forget to allow nameserver connects ;-), or if you're doing it remotely, how to 
> charm a malevolent sysadmin into resetting those darn rulesets *g*)
>
> Second... -j LOG on everything must produce incredibly large logfiles!?
> And thirdly, what does "Tirando de la Cadena" mean? :-)
>
> c 
-- 
Pierre BETOUIN <info16 () ifrance com>

Attachment: signature.asc
Description: