On Mon, 22 Dec 2003 19:42:39 -0800, AthlonRob <junkmail@axpr.net> wrote:
> The first big thing I notice is the iptables -P FORWARD DROP - be wary
> running this from an ssh session, as it will *kill* all outbound traffic
> dead. Very dead. Even existing connections.

Ah yes, that's true. I'll add some sort of warning about that in
there (i.e don't apply default policies until after you've added
exceptions). I find it strange that you quoted the FORWARD line,
though; I'd have thought that the INPUT policy would affect SSH
sessions more (unless they're being NATed in some way).

> I also notice you allow 127.0.0.0/8 to talk to itself... do things
> really use other than 127.0.0.1?

I haven't seen anything use an address other than 127.0.0.1, but all
are classed as loopback and all are routed over the lo interface, so I
use that rule just in case.

> Ooops, you were talking ipchains... I don't play ipchains. :-\

No problem. Any kind of feedback is appreciated. Thanks.


--
Simon <simon@no-dns-yet.org.uk> **** GPG: F4A23C69
"We demand rigidly defined areas of doubt and uncertainty."
- Douglas Adams