Help with some IPCHAINS details

[Andrew Rittner <rittner connix com>]

Hi! I've recently begun experimenting with IPCHAINS in order to more fully 
lock down a couple Redhat 6.2 servers I have. Up until this point I've been 
running PortSentry, combined with TCP wrappers, and that seems to have 
worked just fine. However, I wanted some more control over the fine 
details. As a start, I set the input chain to allow access to some services 
such as SSH, WWW, and whatnot, by setting ACCEPT rules on those specific 
ports. Then I ended the chain with a rule to DENY everything that wasn't to 
one of those ports.

This, of course, led to all kinds of problems. FTP no longer working, and 
so on. I'm not masquerading this box. It's stand-alone, so I don't think 
the ftp-masq module will help me. I guess the root of my question is, is it 
safe to leave all those ports above 1024, excluding the X ports, open? Do I 
have to for normal programs to work? I've had no problems locking down the 
ports below 1024, but that still leaves about 64,000 of them open, which 
makes me uneasy. Should I continue to run Sentry, sort of as a 
second-string protection? The firewall would let people in on port 31337 
say, but Sentry would nab it.

Any thoughts would be appreciated. I've read the HOW-TOs, and while I now 
have a good idea of how IPCHAINS works, I'm still a bit fuzzy on it's 
correct and most secure implementation.

Thanks!

Andy