Re: [TCLUG:13179] Firewall!!! (again)

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:13179] Firewall!!! (again)
From: ^chewie <chewie@wookimus.net>
Date: Tue, 1 Feb 2000 08:39:49 -0800
In-Reply-To: <Pine.LNX.4.10.10002011000440.389-100000@enchanter.real-time.com>; from natecars@real-time.com on Tue, Feb 01, 2000 at 10:03:40AM -0600
References: <200002011349.HAA13349@paladin.real-time.com> <Pine.LNX.4.10.10002011000440.389-100000@enchanter.real-time.com>
User-Agent: Mutt/1.0i

On Tue, Feb 01, 2000 at 10:03:40AM -0600, Nate Carlson wrote:

> You need to do ip forwarding between the two interfaces. Here's something
> that should get you working:
> ipchains -P forward ACCEPT

AAAAHHHHHHH!!!!!!!

*REEOOOO...REEEEOOO...REOOOOO*  Achtung!!!  Alarm!  No!  Nicht!  Niet!
Nada!!!

You have the classic Internet-DMZ-LAN setup...  Check out section 7 of the
IPCHAINS-HOWTO.  It's pretty straight forward.  In fact, I've modeled most
of my firewall stuff off it.  What you need to do, though is set up a
lan-dmz chain and a dmz-lan chain.

Your lan-dmz chain should allow your client-server traffic, including
ping.  If you have an email server or web server in your dmz, then that is
the traffic you let through.  If you want ping, then let that through, but
you should not do the following:

	ipchains -P forward ACCEPT

unless the last rule of the chain is:

	ipchains -A forward -j DENY -l

Otherwise, you're just opening yourself up.  You basically said, "Yeah,
I'll accept any internet traffic coming through to my LAN."  Yes, it's
more complicated than that, but it's usually a good practice to log those
denied packets you don't expect to see very often.  Plus, it gives you a
good view as to what type of traffic you see on your networks.

My advice to you is read IPCHAINS-HOWTO more closely.  If you need the
quick fix between your LAN net and your DMZ net, use a rule like

	ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
	ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
	ipchains -A forward -j DENY -l

At least this way if you have a packet that hits your inet-if and tries to
destin itself for your dmz or your lan, it won't get forwarded. 

Another hint, the -j DENY -l is VERY useful for debugging WHY something
won't go through.  Open up a console w/'tail -f /var/log/syslog' and play
around.  Add rules as you need too.

-- 
Chad Walstrom                         mailto:chewie@wookimus.net 
a.k.a ^chewie, gunnarr               http://wookimus.net/~chewie

PGP signature

Follow-Ups:
- Re: [TCLUG:13179] Firewall!!! (again)
  - From: Nate Carlson <natecars@real-time.com>

References:
- Re: [TCLUG:13179] Firewall!!! (again)
  - From: Nate Carlson <natecars@real-time.com>

Prev by Date: Re: [TCLUG:13146] VI quick reference
Next by Date: Re: [TCLUG:13179] Firewall!!! (again)
Prev by thread: Re: [TCLUG:13179] Firewall!!! (again)
Next by thread: Re: [TCLUG:13179] Firewall!!! (again)
Index(es):
- Date
- Thread