-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
So the output statement lets stuff out? I have no problem with traffic going
out, either from the firewall computer or the ones inside the firewall. But
if I want to contact my firewall computer via ssh from somewhere besides my
home network...how would I allow that? I thought it would be as simple as
ipchains -A input -l -i ppp0 -d 0.0.0.0/0 22 -p TCP -j ACCEPT
but it hasn't worked out that way...
Still thinking hard about all this.... :-)
Russell
>
> You have no output statement. Something like:
>
> ipchains -A output -s $ANY -d $ANY -j ACCEPT
>
> HOWEVER, beware that this allows any traffic, even spoofed traffic, to
> emerge from behind your firewall. This would be a little better if you
> added a variable at the beginning that gave your network addresses:
>
> NET=192.168.10.0/24
>
> then
>
> ipchains -A output -s $NET -d $ANY -j ACCEPT
>
> Also, if you specify your interior device, as
>
> INTDEV=eth0
>
> you can do
>
> ipchains -A output -i $INTDEV -s $NET -d $ANY -j ACCEPT
>
> There are obviously a hundred other additional statements which would
> add security to this. The point is that you have no output statement,
> and you need one.
>
> HTH,
>
> Paul
- --
Linux -- the OS for the Renaissance Man
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8vCXPAqKGrvVshJQRAgjPAKDyaOOAdUS0yKHexHnobUXu4tRgZwCg6M1E
6nlQUXYzYHyO02V3/7BGjNM=
=F1g2
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:10 EDT