Very Computer

by **Raul Trujill** » Fri, 23 Jun 2000 04:00:00

On our firewall I set up some time restrictions so that the people
behind the firewall get logged off after a certain time (5:00 p.m.). On
this firewall, I flush ipchains with:

ipchains -F

However, I see that some do it in this manner:

ipchains -F input
ipchains -F output
ipchains -F forward

What is the difference, and which is better (more secure)? If I do a
"ipchains -F," would it be the same as the second type?

Thnx...

by **Sébastien Cottalord** » Sat, 24 Jun 2000 04:00:00

Hi,

It's securest doing a ipchains -F (All chains) because somebody could have
invest your Firewall and add others rules than you've set up.

But BE CAREFULL !!! : Flushing all chains log off every session but put
your Firewall in Forward all, input all, output all mode.
So if you do that, someone can make another session without restriction.
It's better Flushing all chains first and then put input, output, forward
rules immediatly after.

There is another way : modifying every chains without flushing them (it
depends of your set up).
For example, you can delete every entries on every chains and just keep (or
add) DENIAL : ALL
On the morning, you can delete the rule DENIAL:ALL and restore old rules.

Sebastien

> On our firewall I set up some time restrictions so that the people
> behind the firewall get logged off after a certain time (5:00 p.m.). On
> this firewall, I flush ipchains with:

> ipchains -F

> However, I see that some do it in this manner:

> ipchains -F input
> ipchains -F output
> ipchains -F forward

> What is the difference, and which is better (more secure)? If I do a
> "ipchains -F," would it be the same as the second type?

> Thnx...

Very Computer

IPCHAINS -F (or) IPCHAINS -F input, output, forward

IPCHAINS -F (or) IPCHAINS -F input, output, forward

IPCHAINS -F (or) IPCHAINS -F input, output, forward