Firewalling
J Greene
j_a_greene at yahoo.com
Tue Oct 16 18:04:26 CDT 2001
Joel,
Here is a firewall script. This is pretty anal, but
that is good in system security.
#!/bin/sh
#
### rc.firewall
#
LOCAL_IF="xxx.xxx.xxx.xxx" # Change to your ipaddress
### Flush 'em
ipchains -F input
ipchains -F output
ipchains -F forward
### Set default policies
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
### Accept valid requests
ipchains -A input -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
ipchains -A input -s $LOCAL_IF -d $LOCAL_IF -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport www -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport ftp -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport ftp-data -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport telnet -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport 137:139 -j ACCEPT
# ipchains -A input -p udp -d $LOCAL_IF --dport 137:139 -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport ssh -j ACCEPT
# ipchains -A input -p tcp -i eth0 -d $LOCAL_IF --sport smtp -j ACCEPT
### Accept Responses
ipchains -A input -p tcp -i eth0 -d $LOCAL_IF --sport domain -j ACCEPT
ipchains -A input -p udp -i eth0 -d $LOCAL_IF --sport domain -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport www -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport ftp -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport ftp-data -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport telnet -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport 137:139 -j ACCEPT
# ipchains -A input -p udp --sport 137:139 -j ACCEPT
ipchains -A input -p ICMP -d $LOCAL_IF --icmp-type ping -j ACCEPT
ipchains -A input -p ICMP -d $LOCAL_IF --icmp-type pong -j ACCEPT
### Drop/deny that that doth not match
ipchains -A input -p ! tcp -d 224.0.0.0/24 -j DENY
ipchains -A input -p udp --sport 67 -j DENY
ipchains -A input -p udp --sport 68 -j DENY
ipchains -A input -j DENY -l
Jason
--- "Franklin, Joel" <JDFranklin at moheck.com> wrote:
> I've been handed a couple of bricks and been tossed, fully clothed, into
> the
> deep end. Our firewall needs to be analyzed and overhauled and I've been
> volunteered. Can anyone recommend a good book or online intro to
> firewalling? I'm not looking for specific rule sets (although these can
> be
> helpful) so much as I'm looking for general guidelines. This will
> strictly
> be for security purposes; we're not looking to limit employee access to
> anything or anywhere.
>
>
> Joel Franklin
> Network Analyst
>
>
=====
http://www.hailmaryfullofgrace.net
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
More information about the Kclug
mailing list