06-01-2011
Quote:
Originally Posted by
garric
I want to open specific ports at the output and block the rest. Putting the default output blocking policy would make the machine unusable. Thus, I shifted it to the bottom the firewall script and that worked. Anything I am doing wrong here?
The default policy takes immediate effect when set, that's true. However, it only blocks you out if you enter the commands manually, which should be the exception, not the rule. When using a script you can set the default policy first, and then open the ports you need without interrupting any traffic.
10 More Discussions You Might Find Interesting
1. IP Networking
Hi
I have small home network and I want to block some forums on web
When I use this
iptables -A INPUT -s forum -j DROP
rules is applied but when I restart some of PC rules are not present any more also I tried to save firewall settings
iptables-save > /root/dsl.fw
but how to... (2 Replies)
Discussion started by: solaris_user
2 Replies
2. Red Hat
Please i need help in how to add/remove rules in timezone files under /usr/share/zoneinfo/ , cause i have tried many times to do this by adding rules in an time zone file then compile this file with zic tool and then link it to /etc/localtime but always the output doesn't match what i have made... (0 Replies)
Discussion started by: linuxroOot
0 Replies
3. Ubuntu
Could someone help me with writing rules for iptables?
I need a dos attacks protection for a game server.
port type udp
ports 27015:27030
interface: eth0
Accept all packets from all IPs
Chek if IP sent more than 50 packets per second
Drop all packets from this IP for 5 minutes
I would be... (0 Replies)
Discussion started by: Greenice
0 Replies
4. Red Hat
Hi Gurus,
I need to add Multicast Port = xyz
Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Discussion started by: rama krishna
0 Replies
5. Red Hat
Hi Champs
i am new in Iptables and trying to write rules for my Samba server.I took some help from internet, created one script and run from rc.local :
#Allow loopback
iptables -I INPUT -i lo -j ACCEPT
# Accept packets from Trusted network
iptables -A INPUT -s my-network/subnet -j... (0 Replies)
Discussion started by: Vaibhav.T
0 Replies
6. UNIX for Advanced & Expert Users
Hello,
I have iptables service running on my CentOS5 server. It has approx 50 rules right now.
The problem I am facing now is as follows -
I have to define a new chain in the filter table, say DOS_RULES & add all rules in this chain starting from index number 15 in the filter table.
... (1 Reply)
Discussion started by: BhushanPathak
1 Replies
7. Shell Programming and Scripting
Need to convert the QNX rules to Linux ubuntu 12.04. kindly any one help us with any tools (4 Replies)
Discussion started by: mageshkumar
4 Replies
8. UNIX for Advanced & Expert Users
Hi,
I've been struggling with this all morning and seem to have a blind spot on what the problem is. I'm trying to use iptables to block traffic on a little cluster of raspberry pi's but to allow ssh and ping traffic within it.
The cluster has a firewall server with a wifi card connecting to... (4 Replies)
Discussion started by: steadyonabix
4 Replies
9. Cybersecurity
Hello,
I did 2 scripts. The second one is, I hope, more secure.
What do you think?
Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)
#######script one
####################
iptables -F
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD... (6 Replies)
Discussion started by: Thomas342
6 Replies
10. IP Networking
Hi, I am relatively new to firewalls and netfilter. I have a Debian Stretch router box running dnsmasq, connected to a VPN. Occasionally dnsmasq polls all of the desired DNS servers to select the fastest. When it does this it responds to replies of the non-selected DNS servers with a icmp type... (0 Replies)
Discussion started by: CrazyDave
0 Replies
LEARN ABOUT FREEBSD
mac_bsdextended
MAC_BSDEXTENDED(4) BSD Kernel Interfaces Manual MAC_BSDEXTENDED(4)
NAME
mac_bsdextended -- file system firewall policy
SYNOPSIS
To compile the file system firewall policy into your kernel, place the following lines in your kernel configuration file:
options MAC
options MAC_BSDEXTENDED
Alternately, to load the file system firewall policy module at boot time, place the following line in your kernel configuration file:
options MAC
and in loader.conf(5):
mac_bsdextended_load="YES"
DESCRIPTION
The mac_bsdextended security policy module provides an interface for the system administrator to impose mandatory rules regarding users and
some system objects. Rules are uploaded to the module (typically using ugidfw(8), or some other tool utilizing libugidfw(3)) where they are
stored internally and used to determine whether to allow or deny specific accesses (see ugidfw(8)).
IMPLEMENTATION NOTES
While the traditional mac(9) entry points are implemented, policy labels are not used; instead, access control decisions are made by iterat-
ing through the internal list of rules until a rule which denies the particular access is found, or the end of the list is reached. The
mac_bsdextended policy works similar to ipfw(8) or by using a first match semantic. This means that not all rules are applied, only the
first matched rule; thus if Rule A allows access and Rule B blocks access, Rule B will never be applied.
Sysctls
The following sysctls may be used to tweak the behavior of mac_bsdextended:
security.mac.bsdextended.enabled
Set to zero or one to toggle the policy off or on.
security.mac.bsdextended.rule_count
List the number of defined rules, the maximum rule count is current set at 256.
security.mac.bsdextended.rule_slots
List the number of rule slots currently being used.
security.mac.bsdextended.firstmatch_enabled
Toggle between the old all rules match functionality and the new first rule matches functionality. This is enabled by default.
security.mac.bsdextended.logging
Log all access violations via the AUTHPRIV syslog(3) facility.
security.mac.bsdextended.rules
Currently does nothing interesting.
SEE ALSO
libugidfw(3), syslog(3), mac(4), mac_biba(4), mac_ifoff(4), mac_lomac(4), mac_mls(4), mac_none(4), mac_partition(4), mac_portacl(4),
mac_seeotheruids(4), mac_test(4), ipfw(8), ugidfw(8), mac(9)
HISTORY
The mac_bsdextended policy module first appeared in FreeBSD 5.0 and was developed by the TrustedBSD Project.
The "match first case" and logging capabilities were later added by Tom Rhodes <trhodes@FreeBSD.org>.
AUTHORS
This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under
DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
BSD
May 21, 2005 BSD