Is there a way to setup the rules for closing all not used ports explicitely manually ? As for example in the policy at the end: # THE FOLLOWING POLICY MUST BE LAST all all mess-mate -- It is by the fortune of God that, in this country, we have three benefits: freedom of speech, freedom of thought, and the wisdom never to use either. -- Mark Twain ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Is there a way to setup the rules for closing all not used ports > explicitely manually ? > As for example in the policy at the end: > # THE FOLLOWING POLICY MUST BE LAST > all allThat''s exactly what that policy is intended to do. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | > Is there a way to setup the rules for closing all not used ports | > explicitely manually ? | > As for example in the policy at the end: | > # THE FOLLOWING POLICY MUST BE LAST | > all all | | That''s exactly what that policy is intended to do. | Ok, so if i set it to: all all DROP DROP=ignore isn''t, why are these ports responded as ''closed'' ? If i set for example in the rules: DROP net fw tcp 0:60 all thes ports do not respond, here the ''ignore'' works. mess-mate -- There''s small choice in rotten apples. -- William Shakespeare, "The Taming of the Shrew" ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Tom Eastep <teastep@shorewall.net> wrote: > | mess-mate wrote: > | > Is there a way to setup the rules for closing all not used ports > | > explicitely manually ? > | > As for example in the policy at the end: > | > # THE FOLLOWING POLICY MUST BE LAST > | > all all > | > | That''s exactly what that policy is intended to do. > | > Ok, so if i set it to: > all all DROP > DROP=ignore isn''t, why are these ports responded as ''closed'' ? > > If i set for example in the rules: > DROP net fw tcp 0:60 > all thes ports do not respond, here the ''ignore'' works.What is your entire policy file? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep <teastep@shorewall.net> wrote: | mess-mate wrote: | > Tom Eastep <teastep@shorewall.net> wrote: | > | mess-mate wrote: | > | > Is there a way to setup the rules for closing all not used ports | > | > explicitely manually ? | > | > As for example in the policy at the end: | > | > # THE FOLLOWING POLICY MUST BE LAST | > | > all all | > | | > | That''s exactly what that policy is intended to do. | > | | > Ok, so if i set it to: | > all all DROP | > DROP=ignore isn''t, why are these ports responded as ''closed'' ? | > | > If i set for example in the rules: | > DROP net fw tcp 0:60 | > all thes ports do not respond, here the ''ignore'' works. | | What is your entire policy file? | loc net ACCEPT loc dmz ACCEPT loc $FW ACCEPT loc rtr ACCEPT loc all DROP info $FW net ACCEPT $FW dmz ACCEPT $FW loc ACCEPT $FW all DROP info dmz net ACCEPT dmz $FW ACCEPT dmz loc DROP info dmz all DROP info net dmz ACCEPT net $FW ACCEPT net loc DROP info net all DROP warning rtr dmz ACCEPT all all DROP warning The ''zones'' : fw firewall net ipv4 loc ipv4 dmz ipv4 rtr ipv4 mess-mate -- If you laid all of our laws end to end, there would be no end. -- Mark Twain ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
mess-mate wrote:> Tom Eastep <teastep@shorewall.net> wrote: > | mess-mate wrote: > | > Tom Eastep <teastep@shorewall.net> wrote: > | > | mess-mate wrote: > | > | > Is there a way to setup the rules for closing all not used ports > | > | > explicitely manually ? > | > | > As for example in the policy at the end: > | > | > # THE FOLLOWING POLICY MUST BE LAST > | > | > all all > | > | > | > | That''s exactly what that policy is intended to do. > | > | > | > Ok, so if i set it to: > | > all all DROP > | > DROP=ignore isn''t, why are these ports responded as ''closed'' ? > | > > | > If i set for example in the rules: > | > DROP net fw tcp 0:60 > | > all thes ports do not respond, here the ''ignore'' works. > | > | What is your entire policy file? > | > loc net ACCEPT > loc dmz ACCEPT > loc $FW ACCEPT > loc rtr ACCEPT > loc all DROP info > $FW net ACCEPT > $FW dmz ACCEPT > $FW loc ACCEPT > $FW all DROP info > dmz net ACCEPT > dmz $FW ACCEPT > dmz loc DROP info > dmz all DROP info > net dmz ACCEPT > net $FW ACCEPTThe above two policies are a security disaster. They make your firewall and your DMZ wide open to attack from the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/