Re: Filter....

Arnaud Girsch (girsch@marben.com)
Wed, 23 Oct 1996 17:33:18 -0700 (PDT)

> 1 permit 0.0.0.0/0 207.102.61.0/24 tcp dst eq 25
> 2 permit 0.0.0.0/0 207.102.61.0/24 udp dst eq 25
> 3 permit 0.0.0.0/0 207.102.61.0/24 tcp dst eq 110
> 4 permit 0.0.0.0/0 207.102.61.0/24 udp dst eq 110
> 5 permit 0.0.0.0/0 207.102.61.0/24 tcp dst eq 113
> 6 permit 0.0.0.0/0 207.102.61.0/24 udp dst eq 113
> 7 permit 0.0.0.0/0 207.102.61.0/24 tcp src eq 113
> 8 permit 0.0.0.0/0 207.102.61.0/24 udp src eq 113
> 9 permit 0.0.0.0/0 207.102.61.0/24 tcp dst eq 53
> 10 permit 0.0.0.0/0 207.102.61.0/24 udp dst eq 53
> 11 deny 207.102.61.0/24 0.0.0.0/0 tcp
> 12 deny 207.102.61.0/24 0.0.0.0/0 udp
> 13 deny 207.102.61.0/24 0.0.0.0/0 icmp
>
> Will this allow only mail and DNS within my network and deny all
> other services?

Providing this is your internet.in, this will allow :
. 1-2: incoming SMTP (mail) (why udp ?)
. 3-4: incoming pop3 (why did you put udp ?)
. 5-8: ident/authd/tap (why did you put udp ?) in and out
. 9-10: DNS queries to your NS, and zones taken from your NS.

The default is to deny if it doesn't match any rule ... so 11-13 are useless.

But you might also want to add
permit 0.0.0.0/0 207.102.61.0/24 estab
which will allow incoming tcp traffic with a connection already estblished.

If you don't have that, your email won't go out for example (as you will be
able to connect outside, but will block the answer)

You might want also to add
permit 0.0.0.0/0 207.102.61.0/24 udp src eq 53
otherwise you won't have the ability to query outside NS.

I think you might need to sit down a little bit more, and think about the
traffic you need to filter, and let go thru.

Arnaud.

-- 
Arnaud Girsch  -+- agirsch@marben.com -+- Marben Products, Inc. - San Jose, CA