[Techtalk] More fiddling-generated problems

Nils Philippsen nils at wombat.dialup.fht-esslingen.de
Tue Jul 9 15:52:14 EST 2002 

On Tue, 2002-07-09 at 13:21, Patricia Fraser wrote:
> Here's what I get (after a bastille-firewall start) with -L -v (first part 
> only):
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source              destination
>     0     0 DROP       tcp  --  !lo    any     anywhere            127.0.0.0/8
>     2   388 ACCEPT     all  --  any    any     anywhere             anywhere  
>          state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
>     0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  
> anywhere
>     0     0 PUB_IN     all  --  eth+   any     anywhere             anywhere
>     0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
>     0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
>     0     0 DROP       all  --  any    any     anywhere             anywhere
> 
> When I put your rule in again, I got (using -L -v)
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>     0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
>     0     0 DROP       tcp  --  !lo    any     anywhere             
> 127.0.0.0/8
>    43  5403 ACCEPT     all  --  any    any     anywhere             anywhere  
>          state RELATED,ESTABLISHED
>     0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
>     0     0 DROP       all  --  any    any     BASE-ADDRESS.MCAST.NET/4  
> anywhere
>     0     0 PUB_IN     all  --  eth+   any     anywhere             anywhere
>     0     0 PUB_IN     all  --  ppp+   any     anywhere             anywhere
>     0     0 PUB_IN     all  --  slip+  any     anywhere             anywhere
>     0     0 DROP       all  --  any    any     anywhere             anywhere
> 
> now... let's see if it works (ie either is the rule active or is it doing any 
> good)? nope; problem remains... but if I restart bastille, the rule will fall 
> out, ne? grrr...

The problem can remain if you try to access your machine by its real IP
instead of 127.0.0.1 (which you must use for CUPS in its default
configuration). Yes, any manually appended rules will fall out.

> Do I maybe need to get rid of rule 2 (I can do that with iptables -D, can't 
> I?) and see what then? 

I'd get rid of the rule I suggested to you as rule two/three is the same
and you don't want every packet checked against that rule. Maybe you
should open up access to your box from your local network a bit?

Nils
-- 
 Nils Philippsen / Berliner Straße 39 / D-71229 Leonberg //
+49.7152.209647
nils at wombat.dialup.fht-esslingen.de / nils at redhat.de /
nils at fht-esslingen.de
        Ever noticed that common sense isn't really all that common?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://linuxchix.org/pipermail/techtalk/attachments/20020709/58856390/attachment.pgp

More information about the Techtalk mailing list