IPCHAINS -F (or) IPCHAINS -F input, output, forward

IPCHAINS -F (or) IPCHAINS -F input, output, forward

Post by Raul Trujill » Fri, 23 Jun 2000 04:00:00



On our firewall I set up some time restrictions so that the people
behind the firewall get logged off after a certain time (5:00 p.m.).  On
this firewall, I flush ipchains with:

ipchains -F

However, I see that some do it in this manner:

ipchains -F input
ipchains -F output
ipchains -F forward

What is the difference, and which is better (more secure)?  If I do a
"ipchains -F," would it be the same as the second type?

Thnx...

 
 
 

IPCHAINS -F (or) IPCHAINS -F input, output, forward

Post by S├ębastien Cottalord » Sat, 24 Jun 2000 04:00:00


Hi,

It's securest doing a ipchains -F  (All chains) because somebody could have
invest your Firewall and add others rules than you've set up.

But BE CAREFULL !!! : Flushing all chains log off every session but put
your Firewall in Forward all, input all, output all mode.
So if you do that, someone can make another session without restriction.
It's better Flushing all chains first and then put input, output, forward
rules immediatly after.

There is another way : modifying every chains without flushing them (it
depends of your set up).
For example, you can delete every entries on every chains and just keep (or
add) DENIAL : ALL
On the morning, you can delete the rule DENIAL:ALL and restore old rules.

Sebastien


> On our firewall I set up some time restrictions so that the people
> behind the firewall get logged off after a certain time (5:00 p.m.).  On
> this firewall, I flush ipchains with:

> ipchains -F

> However, I see that some do it in this manner:

> ipchains -F input
> ipchains -F output
> ipchains -F forward

> What is the difference, and which is better (more secure)?  If I do a
> "ipchains -F," would it be the same as the second type?

> Thnx...


 
 
 

1. ipchains input (or output) and forward

Another newbie ipchains question.....

Does the input (or output) chain have to accept packages, before the
forward chain can forward them?

eg, if I have

ipchains -P input DENY
ipchains -P output DENY

with no modifying rules.....

then does

ipchains -A forward <yadayada> MASQ work?

or do I need to do something like:

ipchains -P input DENY
ipchains -P output DENY

ipchains -A input <yadayada> ACCEPT
ipchains -A output <yadayada> ACCEPT
ipchains -A forward <yadayada> MASQ

thx again.

Remove the .n.o.spam to reply

----------------------------
 Spam bait (With credit to E. Needham):







2. Alpha peripherals for the SROM port?

3. Understanding IPCHAINS --> INPUT, FORWARD & OUTPUT

4. Kiss Nordic Satmodem

5. Generating ipchains command from ipchains -L output.

6. QUESTION: time stampinig in user programs

7. ipchains input vs output chain

8. NIS help wanted

9. ipchains problem - allow forward but not input

10. ipchains: input vs. output

11. Using "ipchains -P forward DENY" instead of disabling ip-forwarding?

12. ipchains-save, ipchains-restore (and WINS)

13. ipchains: command not found - only sometimes (ipchains newbie)