[cobalt-security] Calling all IPChain Gurus

["Domain Guy" <domain_dump@xxxxxxxxxxx>]

Pardon the obviously wanker address, but I wish to keep the current state of 
our site's security (or lack thereof) less than well known.

--

After scouring dozens of helpful posts and resources I am finally beginning 
to get a bit of handle on IPChains.  Which is to say that I am still fairly 
lost ;)

So far, I am using the rules generated via the firwall configurator found 
at:

	http://www.linux-firewall-tools.com/linux/firewall/index.html

I am still uncertain if the rules that are set are appropriate.  I am 
looking for a set of IPChain commands that I can run via a shell script that 
will reject (with logging?) everything, with the exception of the following:


- allow FTP access *to* the machine but only from a priviledged IP

- allow FTP access *from* the machne (to get files etc.)

- allow mail to get to the machine (this box will run sendmail with POP 
clients accessing it)

- allow mail to get out (not only will the webserver send mail, but so will 
POP clients)

- allow SSH access (to and from the machine)

- allow DNS to operate (this box is a web server that will also act as its 
primary dns, at least to start)

- allow web in, including SSL access and also admin access (port 81)

- allow web out (command line lynx, wget etc.)


Basically your standard web server/small time web host setup.

Any input would be extremely helpful, and would go towards a 
mini-cobalt-as-webserver/webhost-ipchains FAQ that I will eventually 
compile... if this doesn't first drive me batty instead.

Best regards,
Gordon





_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp