[conspire] quick firewall question

Ruben Safir ruben at mrbrklyn.com
Thu Aug 26 17:58:22 PDT 2010


On Thu, Aug 26, 2010 at 02:28:32PM -0700, Tony Godshall wrote:
> We seem to be talking past each other (to put it nicely)
> 
> https is port 443.  blocking it would block google services logins,
> since google goes to 443 for login.
> 
> your mention of 8080 makes me think I don't really understand your question
> 
> your mention of 192.0.0.0 network makes me think you don't really
> understand private networks
> 
> as to whether your daemons have clean access out, that depends which
> hosts they live on and which ports you've blocked from which hosts.
> for a particular host to have clean access out, you just need a -j
> ACCEPT rule for that host before your -j DROP rule for the rest of the
> net.
> 


Got it.  That is a good starting point.  But I'd still perfer to just
block the route to eth1 which, as you pointed out is 192.168.0.0
network.

Ruben
> On Thu, Aug 26, 2010 at 05:24, Ruben Safir <ruben at mrbrklyn.com> wrote:
> > Let me rephrase the question.
> >
> > I can do something like
> >
> > iptables -A OUTPUT -p tcp –dport 8080 -j DROP
> >
> > or
> >
> > iptables -A OUTPUT -p tcp -d 173.194.33.83 –dport 8080 -j DROP
> >
> > for blocking 8080 for gmail.  How can I do that only for traffic coming
> > from eth1 which is the internal network which sits on the 192.0.0.0
> > network and wherefor not affecting my server dameons from having clean
> > access to the outside world?
> >
> > Ruben
> >
> > --
> > http://www.mrbrklyn.com - Interesting Stuff
> > http://www.nylxs.com - Leadership Development in Free Software
> >
> > So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998
> >
> > http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
> >
> > "Yeah - I write Free Software...so SUE ME"
> >
> > "The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."
> >
> > "> I'm an engineer. I choose the best tool for the job, politics be damned.<
> > You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."
> >
> > © Copyright for the Digital Millennium
> >
> > _______________________________________________
> > conspire mailing list
> > conspire at linuxmafia.com
> > http://linuxmafia.com/mailman/listinfo/conspire
> >

-- 
http://www.mrbrklyn.com - Interesting Stuff
http://www.nylxs.com - Leadership Development in Free Software

So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world  - RI Safir 1998

http://fairuse.nylxs.com  DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002

"Yeah - I write Free Software...so SUE ME"

"The tremendous problem we face is that we are becoming sharecroppers to our own cultural heritage -- we need the ability to participate in our own society."

"> I'm an engineer. I choose the best tool for the job, politics be damned.<
You must be a stupid engineer then, because politcs and technology have been attached at the hip since the 1st dynasty in Ancient Egypt.  I guess you missed that one."

© Copyright for the Digital Millennium




More information about the conspire mailing list