On Sat, 19 May 2001, Brian wrote: > I just got my cable modem up and running. My plan is to plug a linux box > into the cable modem as a router and have multiple boxen behind it. I > also want to run Apache, sendmail, IRC, SSH, and a few other services on > it. The problem is firewalling. I like to write TIGHT scripts (after > being comprimised once I'm a little over-paranoid) by opening up just the > service I need and DENYing any other packet from any source that's not on > my specific guest list. > > The problem here is that everything inside the router gets blocked. ICQ, > Napster, and a plethora of other oddball IP apps stop working because I've > firewalled them out, but I don't want people breaking into my router. Is > there a good way to run this setup? If you allow 1024: -> 1024: without the SYN bit set (! -y in ipchains; can't remember in iptables), and make SURE you don't have any services running on 1024+ on your firewall (MySQL is a good example), you are genereally pretty safe. This (along with the proper masquerading modules in 2.2, or the stateful module in 2.4) will allow most of those to work. -- Nate Carlson <natecars at real-time.com> | Phone : (952)943-8700 http://www.real-time.com | Fax : (952)943-8500