TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:7419] firewall configuration



Quotes are Clay's:
> ipchains are used for much more than IP Masquerading.

Sorry. I read what I wrote and I was obviously not clear. I _know_ that the
ipchains tool is used for more then masquerading. (I have been using it as a
firewall at home for months!) But I've never heard of ipchains _not_ used to
facilitate masquerading. So I think it's odd that 'rlz' didn't account for
that in his CGI.

And thanks for the explanation of the three-line MASQ command, Clay. (Why
didn't I think that it needed to be explained? *Slaps his forehead*)

> No you do not need to open up a hole above 61000. I never heard that and
> I would be interested in where you got that information. IP Masquerading
> doesn't use any ports to work. The three command is all you need to get
> it going.

I got that information from the PortSentry documentation (on your
recommendation, actually), specifically portsentry.conf:

# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading [....]

And when I originally configured my firewall, I saw requests go out on the
well-known ports (80 for www, for example) but they returned on really high
ports. (Or was it the other way around? It's been so long since I did this.)
Am I hallucinating? (Or maybe, because I log almost every packet into my
network, I notice this and others don't?) Has no one else seen this?

Yes, the three-line command is all you need to get IP masquerading going,
but it also leaves all your server's ports open. It's not a huge deal if
you're using a ppp connexion, IMHO, but if you have a static IP or your box
is up most of the time (like mine), this three-line command is an attack
waiting to happen. (I can give very painful stories, if anyone needs to be
convinced.)

-- 

Nothing convinces me that computing is an art so much as a bad install.

David Guy Brizan          brizan@freenet.msp.mn.us          612-814-8223


"Clayton T. Fandre" wrote:
> 
> David Guy Brizan wrote:
> >
> > Hey folks! This is a follow up from Clay's talk on Saturday. (Thanks
> > Clay! Very informative.) For those of you who are using ipchains to do
> > firewalling, here is a URL which, used properly, generates a script
> > which can be used for the "rc.firewall" which Clay makes reference to:
> >
> >         http://rlz.ne.mediaone.net/linux/firewall/
> 
> Thanks. I will put that link on the TCLUG web page.
> 
> >
> > (Start by selecting "General Home System..." unless you happen to be a
> > mediaone.net customer, I guess.)
> >
> > I found it a little hard to understand, personally. And, unless I missed
> > something, it doesn't account for IP Masquerading at all, which, I
> > believe, is the most common thing ipchains / ipfwadm are used for on
> > Linux.
> 
> ipchains are used for much more than IP Masquerading. Basically they are
> used to manage firewall rules in Linux. A Linux firewall does NOT have
> to be using IP Masquerading. It could just be used to route packets
> between two networks. Therefore ipchains would just be used to determine
> what is to be accepted/rejected. Just think of it as a packet-filter.
> 
> >
> > Oh well. Maybe someone can step up and make something similar, but
> > better. Maybe I will, if I suddenly get a heap of free time on my hands.
> > In the mean time, these commands are taken from the ("3.1.  Rusty's
> > Three-Line Guide To Masquerading" section of the) IPCHAINS-HOWTO:
> >
> >         # ipchains -P forward DENY
> >         # ipchains -A forward -i ppp0 -j MASQ
> >         # echo 1 > /proc/sys/net/ipv4/ip_forward
> >
> > (Substitute ppp0 with your "external" interface, of course.) The two, in
> > combination, should give you a decent firewall / router... except, I
> > believe, you have to open all ports above 61000 for masquerading. (See
> > previous question and -- I hope -- discussion.)
> 
> No you do not need to open up a hole above 61000. I never heard that and
> I would be interested in where you got that information. IP Masquerading
> doesn't use any ports to work. The three command is all you need to get
> it going.
> 
> To explain the command again:
> 
> ipchains -P forward DENY               # This sets the default policy to
> DENY EVERYTHING
> ipchains -A forward -i ppp0 -j MASQ    # This adds a forward policy
> through ppp0 for all masqueraded packets.
> echo 1 > /proc/sys/net/ipv4/ip_forward # This enables packet forwarding
> in the kernel
> 
> Clay
> 
> --
> Clay Fandre
> cfandre@maddog.mn-linux.org
> Twin Cities Linux Users Group
> http://www.mn-linux.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org