Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPChains rules
- To: <tlug@example.com>
- Subject: Re: IPChains rules
- From: Tobias Diedrich <ranma@example.com>
- Date: Fri, 2 Mar 2001 10:37:28 +0100 (CET)
- Content-Type: TEXT/PLAIN; charset=US-ASCII
- In-Reply-To: <3A9F6526.8D61A812@example.com>
- Reply-To: tlug@example.com
- Resent-From: tlug@example.com
- Resent-Message-ID: <6rOTzB.A.bXC.on2n6@example.com>
- Resent-Sender: tlug-request@example.com
A.Sajjad Zaidi wrote: > But if I do something like this: > > ipchains -A input -b -s 99.99.99.99 -d 88.88.88.88 ! 21:22 -p tcp -j DENY > ipchains -A input -b -s 99.99.99.99 -d 88.88.88.88 ! 80 -p tcp -j DENY > > it blocks everything. > > You dont mean a seperate deny rule for every unwanted port do you? That'll be > a pain. With ipchains you should either use ALLOW policy and explicitly DENY everything you don't want or use DENY policy and explicitly ALLOW everything you need. You could write a script to generate that rules. For iptables there is a "multiple port match" target IIRC, but you would have to upgrade your kernel to 2.4 then. iptables also has the advantage of being a "stateful" packet-filter, which can make the rules much simpler (in case of a firewall you might basically just say "allow all traffic from lan to the outside and allow only known existing incoming connections") -- Tobias
- Follow-Ups:
- Re: IPChains rules
- From: "Stephen J. Turnbull" <turnbull@example.com>
- Re: IPChains rules
- References:
- Re: IPChains rules
- From: "A.Sajjad Zaidi" <sajjad@example.com>
- Re: IPChains rules
- Prev by Date: Re: Help with patching a Kernel tar ball.
- Next by Date: Re: IPChains rules
- Prev by thread: Re: IPChains rules
- Next by thread: Re: IPChains rules
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |