[Dshield] Configuring iptables; need favorite port lists

Johannes Ullrich jullrich at euclidian.com
Fri Jun 20 12:31:41 GMT 2003


Probably the best introduction to iptables is Robert Zieglers book,
"Linux Firewalls". 

A decent home firewall should block everything inbound, but can probably
be rather open on the outbound end for home use where you are running a
variety of clients (ftp, instant messanger, web, dns). Now once you get
more zones (e.g. a DMZ for a server, or a wireless access point), things
get more interesting. 

A few links:

"Smoothwall", just played with it yesterday for the first time, 
it is very slick and easy to setup. Intended as a "boot and run"
minimal Linux CD.
http://www.smoothwall.org/

"Netfilter", for advanced users a lot of tips, add ons and such (check
out the 'recent' module. it is very cool)
http://www.netfilter.org/

http://www.linux-firewall-tools.com/. web site by Robert Ziegler,
great intro and lots of nifty tools.



On Thu, 2003-06-19 at 13:37, Kenton Smith wrote:
> Forgive me if this misses your point (again, sorry) but what about using
> Ed's deny all for your rules and log everything that isn't explicitly
> allowed. You could then just grep (or similar) the logs for the
> interesting ports. This would allow you to pull information for the
> interesting ports today, and if there was a new interesting port
> tomorrow, you would still have all the information at your disposal for
> historical reference as well. This would then also prevent any errors
> inadvertently made while changing your IPTables on a regular basis.
> Of course you need lots of disk space but that's cheap...
> 
> Just a thought,
> 
> Kenton
> 
> 
> On Thu, 2003-06-19 at 07:34, John Sage wrote:
> > On Thu, Jun 19, 2003 at 06:41:15AM -0500, Ed Truitt wrote:
> > > I don't have a specific list, but I would look for the following:
> > 
> > <snip>
> > 
> > > BTW, I have all my IPTABLES built with one port/entry, that way I can
> > > adjust it easily enough.  YMMV.
> > > 
> > > Hope this helps.
> > 
> > So you have one line/statement per port?
> > 
> > This is a good idea.
> > 
> > It may be that I should try that approach...
> > 
> > ...at the moment I'm still hacking through iptables for two goals:
> > 
> > 1) learn how it works
> > 
> > 2) get it to do what I want...
> > 
> > 
> > Thanks..
> > 
> > 
> > - John
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list