I know, but as soon as I make default policy to DENY on the input chain,
all connectivity to the outside is lost.  Here was a basic set of rules at
my last test.
ipchains -P input DENY
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i eth0 -j ACCEPT
ipchains -P forward DENY
ipchains -A forward -s 192.168.1.0/24 -j MASQ
ipchains -P output -j ACCEPT
Now at this point I tried adding something like
ipchains -A input -i eth1 -p ! -y --dport 1025:65535 -j ACCEPT
to the chains with no change; At this point, I can get around fine on the
local area network but from any machine inside or the firewalled machine
itself, I cannot ping anything other than the DNS itself.  That is
interesting in itself.  My Static ip is 24.221.98.238 and the dns is
24.221.30.3 and I cn ping that with no trouble but I cannot ping other IP
address in other network address ranges.  Not sure why that be the case.
All other protocols are "no go".

Just messing around, but as soon as I added a rule like
ipchains -A input -i eth1 -j ACCEPT
then it was wide open.  that makes sense to me and is what I would expect.
So at least ipchains is recognizing the network devices.  I do find it
interesting that ipchains -L did not specifically mention the device
names.  It showed ----lo but the entries that should have been eth0 and
eth1 showed up as ------.  Shouldn't it have shown the eth devices
clearly?

Thanks for the help so far.

On 25 Feb 2002, Craig White wrote:

> wow - 2 messages in 1 day David.
>
> as default policy - ACCEPT is a really poor idea for ipchains - for
> testing purposes, OK - but it will ultimately have to be changed to
> REJECT or DENY to have some security and piece of mind...be it forward,
> input or output.
>
> Craig
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list  -  PLUG-discuss@lists.plug.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>