fc5 iptables script ??

dansawyer · 08-04-2006, 09:35 AM

All,

Below is the lead from the auto generated IPTABLES script. It would seem to me that the INPUT policy should be 'REJECT' instead of 'ACCEPT'.

Thanks - Dan

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
(the script goes on to allow specific services)

win32sux · 08-04-2006, 11:54 AM

Quote:

Originally Posted by dansawyer

All,

Below is the lead from the auto generated IPTABLES script. It would seem to me that the INPUT policy should be 'REJECT' instead of 'ACCEPT'.

Thanks - Dan

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
(the script goes on to allow specific services)

i see this a lot on red hat boxes... usually there's a "catch-all" rule at the end of the RH-Firewall-* chain which does a DROP or a REJECT...

but yes, optimally you'd wanna get rid of those RH-Firewall-* rules, set your policies set to DROP, and make your own rules...