Firewalling

Tue Oct 16 18:04:26 CDT 2001

Joel,

Here is a firewall script. This is pretty anal, but 
that is good in system security.

#!/bin/sh
#
### rc.firewall
#
LOCAL_IF="xxx.xxx.xxx.xxx" # Change to your ipaddress
### Flush 'em
ipchains -F input
ipchains -F output
ipchains -F forward
### Set default policies
ipchains -P input DENY
ipchains -P output ACCEPT
ipchains -P forward DENY
### Accept valid requests
ipchains -A input -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
ipchains -A input -s $LOCAL_IF -d $LOCAL_IF -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport www       -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport ftp       -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --dport ftp-data  -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport telnet  -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport 137:139 -j ACCEPT
# ipchains -A input -p udp -d $LOCAL_IF --dport 137:139 -j ACCEPT
# ipchains -A input -p tcp -d $LOCAL_IF --dport ssh     -j ACCEPT
# ipchains -A input -p tcp -i eth0 -d $LOCAL_IF --sport smtp   -j ACCEPT
### Accept Responses
ipchains -A input -p tcp -i eth0 -d $LOCAL_IF --sport domain -j ACCEPT
ipchains -A input -p udp -i eth0 -d $LOCAL_IF --sport domain -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport www    -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport ftp    -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport ftp-data -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport telnet -j ACCEPT
ipchains -A input -p tcp -d $LOCAL_IF --sport 137:139   -j ACCEPT
# ipchains -A input -p udp --sport 137:139   -j ACCEPT
ipchains -A input -p ICMP -d $LOCAL_IF --icmp-type ping    -j ACCEPT
ipchains -A input -p ICMP -d $LOCAL_IF --icmp-type pong    -j ACCEPT
### Drop/deny that that doth not match
ipchains -A input -p ! tcp -d 224.0.0.0/24 -j DENY
ipchains -A input -p udp --sport 67 -j DENY
ipchains -A input -p udp --sport 68 -j DENY
ipchains -A input -j DENY -l

Jason

--- "Franklin, Joel" <JDFranklin at moheck.com> wrote:
> I've been handed a couple of bricks and been tossed, fully clothed, into
> the
> deep end. Our firewall needs to be analyzed and overhauled and I've been
> volunteered. Can anyone recommend a good book or online intro to
> firewalling? I'm not looking for specific rule sets (although these can
> be
> helpful) so much as I'm looking for general guidelines. This will
> strictly
> be for security purposes; we're not looking to limit employee access to
> anything or anywhere. 
> 
> 
> Joel Franklin
> Network Analyst
> 
> 

=====
http://www.hailmaryfullofgrace.net

__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com