---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 107 NAMESERVER_2 This is the IP address of your Secondary DNS Server from your network or your ISP. LOOPBACK The loopback address range is 127.0.0.0/8. The interface itself is addressed as 127.0.0.1 (in /etc/hosts). PRIVPORTS The privileged ports, 0 through 1023, are usually referenced in total. UNPRIVPORTS The unprivileged ports, 1024 through 65535, are usually referenced in total. They are addresses dynamically assigned to the client side of a connection. Default Policy A firewall has a default policy and a collection of actions to take in response to specific message types. This means that if a given packet has not been selected by any other rule, then the default policy rule will be applied. Enabling Local Traffic Since the default policies for all example firewall rules scripts files on this book are to deny everything, some of these rules must be unset. Local network services do not go through the external network interface. They go through a special, private interface called the loopback interface. None of your local network programs will work until loopback traffic is allowed. # Unlimited traffic on the loopback interface. ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT Source Address Filtering All IP packet headers contain the source and destination IP addresses and the type of IP protocol message (ICMP, UDP or TCP) this packet contains. The only means of identification under the Internet Protocol (IP) is the source address in the IP packet header. This is a problem that opens the door to source address spoofing, where the sender may replaces its address with either a nonexistent address, or the address of some other site. # Refuse spoofed packets pretending to be from the external address. ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -l -j DENY Also, there are at least seven sets of source addresses you should refuse on your external interface in all cases. These are incoming packets claiming to be from: · Your external IP address · Class A private IP addresses · Class B private IP addresses · Class C private IP addresses · Class D multicast addresses · Class E reserved addresses · The loopback interface With the exception of your own IP address, blocking outgoing packets containing these source addresses protects you from possible configuration errors on your part.