[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
> Generally, for security reasons (and being a good netizen), you want to > drop all outgoing traffic that's not explicitly allowed. Open outgoing > ports that you need for critical services and that's it. In Linux, you > can set the OUTPUT chain's policy to DROP and then make the first rule > an ACCEPT on -m state --state RELATED,ESTABLISHED. You should mirror > that in the INPUT and FORWARD chains. Underneath those first ACCEPT > rules you would accept whatever other traffic you wanted to come in, be > forwarded or go out (in INPUT, FORWARD and OUTPUT, resp.). Be carefull here, I've seen hack attempts that set the RELATED and/or ESTABLISHED bits on a packet to bypass a firewall. The only thing that saved me was the server that was being attacked had it's own firewall that had all of it's allowed traffic explicitly defined. I think that iptables supports internal connection tracking which is an alternative to the --state check but is probably much more RAM intensive. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug