[Techtalk] More fiddling-generated problems
Nils Philippsen
nils at wombat.dialup.fht-esslingen.de
Tue Jul 9 15:52:14 EST 2002
On Tue, 2002-07-09 at 13:21, Patricia Fraser wrote:
> Here's what I get (after a bastille-firewall start) with -L -v (first part
> only):
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
> 0 0 DROP tcp -- !lo any anywhere 127.0.0.0/8
> 2 388 ACCEPT all -- any any anywhere anywhere
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
> anywhere
> 0 0 PUB_IN all -- eth+ any anywhere anywhere
> 0 0 PUB_IN all -- ppp+ any anywhere anywhere
> 0 0 PUB_IN all -- slip+ any anywhere anywhere
> 0 0 DROP all -- any any anywhere anywhere
>
> When I put your rule in again, I got (using -L -v)
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 DROP tcp -- !lo any anywhere
> 127.0.0.0/8
> 43 5403 ACCEPT all -- any any anywhere anywhere
> state RELATED,ESTABLISHED
> 0 0 ACCEPT all -- lo any anywhere anywhere
> 0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
> anywhere
> 0 0 PUB_IN all -- eth+ any anywhere anywhere
> 0 0 PUB_IN all -- ppp+ any anywhere anywhere
> 0 0 PUB_IN all -- slip+ any anywhere anywhere
> 0 0 DROP all -- any any anywhere anywhere
>
> now... let's see if it works (ie either is the rule active or is it doing any
> good)? nope; problem remains... but if I restart bastille, the rule will fall
> out, ne? grrr...
The problem can remain if you try to access your machine by its real IP
instead of 127.0.0.1 (which you must use for CUPS in its default
configuration). Yes, any manually appended rules will fall out.
> Do I maybe need to get rid of rule 2 (I can do that with iptables -D, can't
> I?) and see what then?
I'd get rid of the rule I suggested to you as rule two/three is the same
and you don't want every packet checked against that rule. Maybe you
should open up access to your box from your local network a bit?
Nils
--
Nils Philippsen / Berliner Straße 39 / D-71229 Leonberg //
+49.7152.209647
nils at wombat.dialup.fht-esslingen.de / nils at redhat.de /
nils at fht-esslingen.de
Ever noticed that common sense isn't really all that common?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://linuxchix.org/pipermail/techtalk/attachments/20020709/58856390/attachment.pgp
More information about the Techtalk
mailing list