On Fri, 31 Mar 2000 sinck@corp.quepasa.com wrote:

> 
> 
> \_ thinking that this discussion might be of interest to others and not wanting
> \_ to abuse Mike Sheldon or Jean Francois...but I am feeling like by installing
> \_ linux systems on the internet, I am lobbing up softballs for weak hitters to
> \_ hit out of the park.
> \_ 
> \_ 1 - if I create a chain ruleset
> \_ 
> \_     default policy deny
> \_     accept TCP/UDP port 25, 110, 80

Port 25 should be accept tcp from port 25 and port >1024. Actually, are
reserved ports 0-1023 or 1-1024? Greater to than the upper end of whatever
the correct range is :).

Pop uses udp? In any case, I believe only unpriviledged port clients will
be connecting to it, e.g. only coming from >1024.

For http there should only be tcp requests from >1024.

> \_     reject TCP/UDP ports 1:1024
> \_ 
> \_     does this adequately protect all but mail & www from things
> \_     like BIND & FTP exploitation attacks?
> 
> I'm pretty sure you're gonna want 53 in there... otherwise it'll be
> harder to resolve hostnames.

For dns requests from outside world:

allow udp/tcp from 53 and >1024
allow to udp/tcp 53

Replace 1024 with 1023 as appropriate if the range turns out to be 0-1023
:).

ciao,

der.hans
-- 
# +++++++++++=================================+++++++++++ #
#  der.hans@LuftHans.com                  www.excelco.com #
#            http://home.pages.de/~lufthans/              #
#         Science is magic explained. - der.hans          #
# ===========+++++++++++++++++++++++++++++++++=========== #