[conspire] quick firewall question

Tony Godshall tony at of.net
Thu Aug 26 14:28:32 PDT 2010


We seem to be talking past each other (to put it nicely)

https is port 443.  blocking it would block google services logins,
since google goes to 443 for login.

your mention of 8080 makes me think I don't really understand your question

your mention of 192.0.0.0 network makes me think you don't really
understand private networks

as to whether your daemons have clean access out, that depends which
hosts they live on and which ports you've blocked from which hosts.
for a particular host to have clean access out, you just need a -j
ACCEPT rule for that host before your -j DROP rule for the rest of the
net.

On Thu, Aug 26, 2010 at 05:24, Ruben Safir <ruben at mrbrklyn.com> wrote:
> Let me rephrase the question.
>
> I can do something like
>
> iptables -A OUTPUT -p tcp –dport 8080 -j DROP
>
> or
>
> iptables -A OUTPUT -p tcp -d 173.194.33.83 –dport 8080 -j DROP
>
> for blocking 8080 for gmail.  How can I do that only for traffic coming
> from eth1 which is the internal network which sits on the 192.0.0.0
> network and wherefor not affecting my server dameons from having clean
> access to the outside world?
>
> Ruben
>
> --
> http://www.mrbrklyn.com - Interesting Stuff
> http://www.nylxs.com - Leadership Development in Free Software
>
> So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998
>
> http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>
> "Yeah - I write Free Software...so SUE ME"
>
> "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."
>
> "> I'm an engineer. I choose the best tool for the job, politics be damned.<
> You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."
>
> © Copyright for the Digital Millennium
>
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire
>




More information about the conspire mailing list