Search This Blog

Saturday, July 02, 2005

Re: Firewall-troubleshooting

On Sat, Jul 02, 2005 at 04:46:29PM -0400, KC wrote:

> I need help understanding what goes wrong in this script. I cannot ping
> anyone and cannot resolve as well. In fact I believe the only thing I can
> get is an ip address from my isp's dhcp server.

There's no way I'm going to read through all of that and try to
understand it.

Perhaps you'd be better off starting with a smaller firewall script
and then adding to it as you need?

One thing did stand out though, you don't allow outgoing connections
generally. These lines:

> iptables --policy OUTPUT DROP
> iptables -t nat --policy OUTPUT DROP
> iptables -t mangle --policy OUTPUT DROP

They seem to say "no output except that which is explictly allowed".

For a big network I too would restrict outgoing connections, but for
a home machine with only trusted hosts? It's an additional complication
which doesn't gain you much.

(Sure if you had a trojan which phoned home, or tried to compromise
other hosts .. it would help. But .. in general it less useful than
it appears).

Steve
--

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments: