Am Do, den 09.09.2004 schrieb Wal um 4:29: > Is it possible to have the Fedora Core > default, out-of-the-box iptables settings > be more like the following? > > RelatedComponent- system-config-securitylevel > File- /etc/sysconfig/iptables > > # generated by ____ > # > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] <-- this or the last but one line? this would be nonsense in my eyes > :SecLev505-INPUT - [0:0] Any good reason why you use -I (=insert) so that all rules have to be read from bottom to top? As iptables works through the rules from top to bottom such reading from a config file is other than that. > -I SecLev505-INPUT -p all -j DROP Having a DROP policy this is redundant. And I would not like a default DROPing. If something like that, then a REJECT rule (policy can't be set to REJECT). > -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER1> > --sport 53 --dport 1025:65535 -j ACCEPT > -I SecLev505-INPUT -p udp -m udp -s <DNS_SERVER2> > --sport 53 --dport 1025:65535 -j ACCEPT DNS uses not only UDP but TCP too. Wouldn't incoming answers from DNS servers be catched already by below - in order first coming - rule? > -I SecLev505-INPUT -p tcp -m state --state > ESTABLISHED,RELATED -j ACCEPT > -I SecLev505-INPUT -p tcp -m tcp -s 0/0 --syn -j DROP > -I SecLev505-INPUT -i lo -s 0/0 -j ACCEPT > -I INPUT -j SecLev505-INPUT > :OUTPUT ACCEPT [0:0] <-- compare with above OUTPUT policy line > COMMIT Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 17:20:56 up 10 days, 14:37, load average: 0.30, 0.25, 0.23
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil