Here's my firewall ipchains/masquerade configuration... The policies are set by /etc/rc.d/rc.local (which is also where I start pppd demand-dialing and Squid)... ----------------------- : : # # IP masquerade stuff # /sbin/depmod -a /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_irc ipchains -P forward DENY # # prevent spoofing private net addr's on ppp links (log it too) # see draft-manning-dsua-01.txt # ipchains -A input -i ppp+ -s 10.0.0.0/8 -l -j DENY ipchains -A input -i ppp+ -s 127.0.0.0/8 -l -j DENY ipchains -A input -i ppp+ -s 172.16.0.0/12 -l -j DENY ipchains -A input -i ppp+ -s 169.254.0.0/16 -l -j DENY ipchains -A input -i ppp+ -s 192.168.0.0/16 -l -j DENY # allow inbound ftp-data (not ftp-control) ipchains -A input -i ppp+ -s 0/0 ftp-data -p tcp -y -l -j ACCEPT # REJECT any inbound SYN (-y) connections on ppp links (log also) ipchains -A input -i ppp+ -p TCP -s 0/0 -y -l -j REJECT ipchains -A forward -j MASQ -s 192.168.1.0/24 -d 0.0.0.0/0 # # DENY any NETBIOS outbound over the ppp links # ipchains -A output -i ppp+ -p udp -d 0/0 137:139 -j DENY ipchains -A output -i ppp+ -p tcp -d 0/0 137:139 -j DENY # # End of IP masquerade stuff # # # Start PPP dial-on-demand # Note: /sbin/request-route is a symlink to /etc/ppp/[startup_file] # /sbin/request-route # # Start Squid Internet Cache # if [ -f /squid/cache/bin/RunCache ]; then echo -n ' Squid' (/squid/cache/bin/RunCache &) fi # : : ----------------------- Once the policies are set, you should check the result (sorry for the long lines, but without the verbose switch, you can't see the interface info) ----------------------- [brian@hank brian]$ sudo ipchains -L -v Chain input (policy ACCEPT: 12947379 packets, 3243286157 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 46 2232 ACCEPT tcp -y--l- 0xFF 0x00 ppp+ anywhere anywhere ftp-data -> any 0 0 DENY all ----l- 0xFF 0x00 ppp+ 192.168.1.0/24 anywhere n/a 222 11288 REJECT tcp -y--l- 0xFF 0x00 ppp+ anywhere anywhere any -> any 58 6870 DENY all ----l- 0xFF 0x00 ppp+ 10.0.0.0/8 anywhere n/a 0 0 DENY all ----l- 0xFF 0x00 ppp+ 127.0.0.0/8 anywhere n/a 2 80 DENY all ----l- 0xFF 0x00 ppp+ 172.16.0.0/12 anywhere n/a 0 0 DENY all ----l- 0xFF 0x00 ppp+ 169.254.0.0/16 anywhere n/a 9 702 DENY all ----l- 0xFF 0x00 ppp+ 192.168.0.0/16 anywhere n/a Chain forward (policy DENY: 1264 packets, 103262 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 284K 34M MASQ all ------ 0xFF 0x00 any 192.168.1.0/24 anywhere n/a Chain output (policy ACCEPT: 14845816 packets, 11365655902 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 18 1080 DENY tcp ------ 0xFF 0x00 ppp+ anywhere anywhere any -> netbios-ns:netbios-ssn 829 213K DENY udp ------ 0xFF 0x00 ppp+ anywhere anywhere any -> netbios-ns:netbios-ssn ----------------------- To facilitate logging and reporting, I have this in my /etc/syslog.conf file-- ----------------------- : : # ipchains REJECT/DENY logs as kern.info - put into secure kern.info /var/log/secure : : ----------------------- Then I have this in root's crontab-- ----------------------- : : 58 23 * * * egrep 'ACCEPT|REJECT|DENY|AXFR' /var/log/secure > /tmp/secure.mail && /sbin/ipchains -v -L >> /tmp/secure.mail && cat /tmp/secure.mail | mail -s "SECURITY -- bad inbound packets/DNS Zone transfers" -c brianc@magicnet.net brian && rm /tmp/secure.mail : : ----------------------- The first entry scans the secure log for ipchains info, dumps the current policy and mails the report to me both locally and at my magicnet address. I do both, in case I can't get to the remote email and in case the local mail is corrupted/compromised (due to a breakin or some such). Once you've got your firewall working test it out here- http://grc.com/default.htm then click on the Shields-UP! icon... This is the Steve Gibson Research Company (they make Spinrite) site. There are a lot of web-based firewall testing sites, but I like Steve's (even if the recommendations tend to be a bit Windows-centric). Finally, keep in mind - computer and network security is a process, not a "set-it-and-forget-it" task. You must keep on top of the latest patches for your software implementation (both OS and utilities). You need to monitor for attempted and (hopefully none) successful breakins. You should have a plan in place to react to changes... GOOD LUCK!