From: Askar <askarali@gmail.com>
To: netfilter <netfilter@lists.netfilter.org>
Subject: going default DROP
Date: Sat, 25 Sep 2004 11:31:20 +0600 [thread overview]
Message-ID: <a0f69e5040924223152fe70b6@mail.gmail.com> (raw)
hi,
okay now im seriously wanted to convert the default ACCEPTED fw
machine by my predecessor to default DROP. coz it is very hard to
maintain ACCEPTED fw and im getting tired of monitoring tcpdump and
then adding new rules to firewall script.
As I told before it is a small ISP (limitations: no more then 150
users at a time) and our clients connected to us via dialup.
Before going to deploy my desired fw script I want to monitor the
users traffic for a while may be I would go outside and interview few
cyber cafes, to decide *what* to DROP and which packets to allow.
Remember our clients are not that power users, very normal in nature,
when online majority of them acccessing port 80, IM, chatting,
emailing, irc etc. we have setup a cache "squid" for port 80 related
things and its doing very well.
Therefore I thinks it would not be difficult to deploy default DROP
script, yes may be in starting days we could loose few clients ;)
As im kinda new to security and iptables stuff, however I want to
prove that this sort of policy is possible in ISP (small) enviroment
.
=now can someone guide me what is the good way to monitor traffic i-e
what ports clients accessing and then in teh light of this i would
finialize my script.
= any sample scripts for such enviroment and links ?
Any other suggestions would be greatly appreciated.
regards
Askar
--
(after bouncing head on desk for days trying to get mine working, I'll make
yer life a little easier)
next reply other threads:[~2004-09-25 5:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-25 5:31 Askar [this message]
2004-09-25 12:59 ` going default DROP Alexis
2004-09-26 20:33 ` Jose Maria Lopez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a0f69e5040924223152fe70b6@mail.gmail.com \
--to=askarali@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.