-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi. Another idea is putting this in a script: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT services ports go here /sbin/iptables -P INPUT DROP Only apply that policy when you know that all your required ports are open; if not, you may find yourself locked out of your machine, and only console access can fix things again. Igor On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote: > If you turn off the various utilities in the inetd.conf file that you > don't use, that can help too. > I.E. since you're using ssh, you won't need telnet and rlogin. > Simply comment them out. That way, no matter how many packets go to > that destination port, it won't do a bit of good. > You are of course welcome to block any ports you like, and it's > likely that'll help too, but the inetd daemon is a nice way to secure > the machine as well. > > As for the problem with the outgoing ping packets, there are ways to > specify incoming/outgoing packets, but I've not fiddled with ip rules > for several years, so i don't remember the syntax. However, there's > a very good how-to on the linux how-to site explaining ipfwadm and > ipchains. One of the examples in there is how to secure the machine > for a particular service (don't remember which one) but it covers > that exact problem (if I remember correctly) > Try to see if you can find it. If not, I'm sure I have it *somewhere*. > But, just so you know, there is a solution, I (unfortunately) no > longer remember what it is though. > > > On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote: > > > Hello list, > > I've been told to block ping requests with iptables. I made the > > following rule: > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP > > The only problem with this, is it drops all pings incoming as well, > > which causes a slight problem. > > Any way around this? > > Also, is there anything else that can be done in order to make the > > system more secure? I was told to block fragmented packets. I know > > what they are, but don't know enough about tcp in order to be able > > to do much with them. > > Help is appriciated. > > Thanks, > > _______________________________________________ > > Speakup mailing list > > Speakup at braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4 xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+ OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd aFI+HFrlcLg= =6Fu5 -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
