heh, considering that RH includes this tool and it doesnt work out of the box, I'd say it should be a concern to the people who could possibly fix that, perhaps those people read this list. I mean, when you install fedora/redhat, it says do u want a firewall? If you choose yes, (which i did) it's not going to do anything--even something very very simple like deny all incoming new connections.
The following are what I have with only ftp allowed and eth0 trusted..
yet somehow, any computer (on the lan or on the internet) can access
http, ssh, and every other port on my computer.
What do you think 'eth0 trusted' means ?
Again I suggest you think about what you are doing. 'eth0 trusted' means trust anything coming to eth0. You have opened up any packets comming to eth0 to be allowed.
The tool works correctly.
Since this is all done with init scripts which require me to be root in order to use, and iptables is running, I would assume everything is being executed properly.
# /sbin/iptables -L
Try /sbin/iptables --xvn L for some details
<snip>
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
The rule above is what is added when you 'trust' eth0, allowing everything.
<snip>
Considering that every iptables script ive looked at is 5 times longer than both those files combined (including supposedly 'simple' scripts) I would assume something isn't right.
Wrong assumption. It's user error.
I've read man iptables but its overwhelming, and I've tried editing
other peoples simple scripts--again, overwhelming. I couldnt make
anything work that i wanted (like allowing port 11000 for http ONLY).
if someone could write me something that does the following and commet it so i know what each section is doing that would be great:
1. allow incoming connections on ports 11000 (http), 21 (ftp), 22 (ssh),
and 113 (identd).
2. allow outgoing on all ports.
3. just 1 ethernet card, eth0.
Yes, remove the trusted eth0 using redhat-config-securitylevel tool. Then add the ports in that you need.
Cheers, Michael
