heh, considering that RH includes this tool and it doesnt work out of the box, I'd say it should be a concern to the people who could possibly fix that, perhaps those people read this list. I mean, when you install fedora/redhat, it says do u want a firewall? If you choose yes, (which i did) it's not going to do anything--even something very very simple like deny all incoming new connections. The following are what I have with only ftp allowed and eth0 trusted.. yet somehow, any computer (on the lan or on the internet) can access http, ssh, and every other port on my computer. Since this is all done with init scripts which require me to be root in order to use, and iptables is running, I would assume everything is being executed properly. # /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp REJECT all -- anywhere anywhere reject-with icmp-host-prohibited /etc/sysconfig/iptables # Firewall configuration written by redhat-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT /etc/sysconfig/iptables-config # Additional iptables modules (nat helper) # Default: -empty- #IPTABLES_MODULES="ip_nat_ftp" # Save current firewall rules on stop. # Value: yes|no, default: no #IPTABLES_SAVE_ON_STOP="no" # Save current firewall rules on restart. # Value: yes|no, default: no #IPTABLES_SAVE_ON_RESTART="no" # Save (and restore) rule counter. # Value: yes|no, default: no #IPTABLES_SAVE_COUNTER="no" # Numeric status output # Value: yes|no, default: no #IPTABLES_STATUS_NUMERIC="no" Considering that every iptables script ive looked at is 5 times longer than both those files combined (including supposedly 'simple' scripts) I would assume something isn't right. I've read man iptables but its overwhelming, and I've tried editing other peoples simple scripts--again, overwhelming. I couldnt make anything work that i wanted (like allowing port 11000 for http ONLY). if someone could write me something that does the following and commet it so i know what each section is doing that would be great: 1. allow incoming connections on ports 11000 (http), 21 (ftp), 22 (ssh), and 113 (identd). 2. allow outgoing on all ports. 3. just 1 ethernet card, eth0. Thanks. Oh, and for the guy who said my email host is spoofed: lol it's not.
