Re: [TCLUG:7419] firewall configuration

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:7419] firewall configuration
From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
Date: Tue, 10 Aug 1999 12:24:31 +0000
References: <37AEF805.3F853C76@mr.net> <37AF1240.37A80ADE@maddog.mn-linux.org> <37AF2933.875DC2FB@mr.net> <37AF3435.77D0E45D@maddog.mn-linux.org> <37AF3893.693C035F@maddog.mn-linux.org> <37AF546C.7BA8A9C4@mr.net>
Sender: cfandre@maddog.mn-linux.org

David Guy Brizan wrote:
> Hmm. Maybe I configured my rules badly or I don't understand the whole
> business of ipchains, but I think if you are trying to create a firewall
> out of your Linux box -- not just a router or ip masquerading machine --
> you must open those ports (above 61000) on input. (According to the
> IPCHAINS-HOWTO, ipchains checks the input chain *before* it decides
> whether a packet should be masqueraded or demasqueraded.) But maybe I
> misunderstand the HOWTO.

OK. Maybe I was unclear when I said the default policy was deny. The
default policy for the forward chain ruleset is deny. The default policy
for the input and output rulesets are ACCEPT. Therefore all packets will
be able to enter and leave the system, (ip masq system only) but
anything that is suppose to be forwarded will go through the masq rules.
There is a security risk there since anyone can get to the ip masq
system, but that is why I suggested using PortSentry.

Basically no packets will be able to get into your internal network
because they must all pass through the forward rules, which states that
only internal IP's can pass. (which will be masqueraded). The return
connections are already established with ip masq so you don't need to
worry about that.

As for the 61000 ports, you don't need to open that up if your ip masq
machine is also your firewall. If it isn't, (ie. you have another
firewall farther outside your ip masq machine) you must open up your
firewall to allow ports 61000-65000 OUT only. I never had to do this. I
am just telling you what I read.

> 
> Are you using ipchains as a firewall / router: filtering input and
> masquerading other machines? Are you seeing packets automatically
> de-masqueraded in spite of rules on your input chain? If so, would you
> share your rules with me (or a secure enough subset)? I'd love a better
> set of rules than I have now!
> 

I am using the simple ip masq rules, and here is my output of ipchains
-L:

Chain input (policy ACCEPT):
Chain forward (policy DENY):
target     prot opt     source                destination          
ports
MASQ       all  ------  192.168.0.0/24        anywhere              n/a
Chain output (policy ACCEPT):

Clay

-- 
Clay Fandre
cfandre@maddog.mn-linux.org
Twin Cities Linux Users Group
http://www.mn-linux.org

References:
- firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
- Re: [TCLUG:7419] firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
- Re: [TCLUG:7419] firewall configuration
  - From: "Clayton T. Fandre" <cfandre@maddog.mn-linux.org>
- Re: [TCLUG:7419] firewall configuration
  - From: David Guy Brizan <dbrizan@mr.net>

Prev by Date: hosts.deny logging
Next by Date: Re: [TCLUG:7419] firewall configuration
Prev by thread: Re: [TCLUG:7419] firewall configuration
Next by thread: Re: [TCLUG:7419] firewall configuration
Index(es):
- Date
- Thread