From: Paul Jakma (paulj at domain itg.ie)
Date: Mon 31 Jul 2000 - 17:14:39 IST
On Mon, 31 Jul 2000, [iso-8859-1] SP K wrote:
> ok but, what i really want to do is let icmp of type 3
> in only and not any other icmp type.
>
just allow all icmp thru... much wiser unless you are an expert on ICMP
and how it might be used.
> Also i am having trouble with http out, i have all my
> default policies as DENY , then i did ACCEPT for www
> input and output, but i cant http in/out with this,
read my original mail. you need to allow in all TCP traffic that doesn't
have the SYN bit set going to ports that correspond to linux's range of
dynamically assigned ports (see /proc/sys/net/ipv4/ip_local_port_range[1])
else client programmes running on your machine will never receive any
reply.
something like:
ipchains -I input 1 -p tcp ! -y -s 0/0 -d myip/32 low_port:high_port -j
ACCEPT
--paulj
[1]. by default it's 1024->4096.. but that's a bit broken. Might be an
idea to change that to something like 32768->36864.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:07:02 GMT