[Firewall] Aliases and Configs

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Mon Jul 14 09:08:13 MDT 2008


With firewall version 1.9.0 you can use restrict rules to specific 
virtual aliases by specifying their IP. So instead of using ie. 
OPEN_TCP="eth0:22", you should use OPEN_TCP="interface_IP:22"... It's as 
simple as that....

About your custom-rules: in principle you must always try to use the 
functionality in the script. Version 1.9 was mainly "founded", to 
implement stuff which was previously (often) put in custom-rules....

And last but not least (I don't know if you did): always perform port 
scans from an (other) outside machine, not from localhost...

A.

warren at leetnet.com wrote:
> 1.9.0-beta2
> 
> I have an external interface on a host with a /7 subnet.  The first usable
> IP has several ports open providing various services.  The others are either
> only available to myself for certain services are open externally to
> everyone.
> 
> Now I'm using custom-rules to insert before your rules my accepts and drops.
> This works, but it's a bit backwards as there's a handful of rules, and they
> must go in the INPUT chain before yours.  Unfortunately I'm not familiar
> enough, and haven't researched enough, how to hop between chains.  I did try
> adding one but it's just gets bypassed it seems (0 references).
> 
> Is the new user/global config option better suited for this?  What would be
> best practice in this case?  Also, eth0+ seems ineffective (I added the
> aliases, the +  in eth0+, restarted it hoping the rules would be the same
> across the board to start - and a port scan shows things open/closed/etc).
> I'm not sure if these is desired behavior, or maybe I have a configuration
> issue?
> 
> Thanks in advance for any advice!
> 
> 
> Warren Crigger
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list