Re: how to only allow tcp on dport 443 on the OUTPUT chain?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/19/2011 02:19 PM, Bill Davidsen wrote:
> erikmccaskey64 wrote:
>> it's a normal desktop machines iptables firewall:
>>
>> If i want to block udp on dport 80 on the output chain, then is this
>> enough? i want to only allow tcp on it!
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF --dport 80 -j ACCEPT
>>
>> or i need this rule?
>> iptables -P OUTPUT DROP
>> iptables -A OUTPUT -o $PUBIF -p tcp --dport 80 -j ACCEPT
>>
>> the second one is the good one?
>>
> You don't want to do that, if you block everything on OUTPUT things like DHCP,
> ARP, ICMP, etc, fail. You would need pages of ACCEPT rules.
>
> iptables -A OUTPUT -p tcp ! --dport 80 -j REJECT
>
> Would at least block only tcp, although I bet you will find that you want to do
> mail and such. You are rapidly entering deep waters, I fear, but it's your machine.
>
Blocking output on port 80 will render your web browsers largely useless,
because web browsers send connection requests to web servers on port 80
using the TCP protocol.

-- 
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux