Re: [TCLUG:13179] Firewall!!! (again)

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:13179] Firewall!!! (again)
From: Nate Carlson <natecars@real-time.com>
Date: Tue, 1 Feb 2000 10:58:04 -0600 (CST)
In-Reply-To: <20000201083949.A10250@wookimus.net>

On Tue, 1 Feb 2000, ^chewie wrote:
> AAAAHHHHHHH!!!!!!!
> 
> *REEOOOO...REEEEOOO...REOOOOO*  Achtung!!!  Alarm!  No!  Nicht!  Niet!
> Nada!!!
> 
> You have the classic Internet-DMZ-LAN setup...  Check out section 7 of the
> IPCHAINS-HOWTO.  It's pretty straight forward.  In fact, I've modeled most
> of my firewall stuff off it.  What you need to do, though is set up a
> lan-dmz chain and a dmz-lan chain.
> 
> Your lan-dmz chain should allow your client-server traffic, including
> ping.  If you have an email server or web server in your dmz, then that is
> the traffic you let through.  If you want ping, then let that through, but
> you should not do the following:
> 
> 	ipchains -P forward ACCEPT
> 
> unless the last rule of the chain is:
> 
> 	ipchains -A forward -j DENY -l
> 
> Otherwise, you're just opening yourself up.  You basically said, "Yeah,
> I'll accept any internet traffic coming through to my LAN."  Yes, it's
> more complicated than that, but it's usually a good practice to log those
> denied packets you don't expect to see very often.  Plus, it gives you a
> good view as to what type of traffic you see on your networks.
> 
> My advice to you is read IPCHAINS-HOWTO more closely.  If you need the
> quick fix between your LAN net and your DMZ net, use a rule like
> 
> 	ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
> 	ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
> 	ipchains -A forward -j DENY -l
> 
> At least this way if you have a packet that hits your inet-if and tries to
> destin itself for your dmz or your lan, it won't get forwarded. 
> 
> Another hint, the -j DENY -l is VERY useful for debugging WHY something
> won't go through.  Open up a console w/'tail -f /var/log/syslog' and play
> around.  Add rules as you need too.
> 

Yup. But he just needed to get things working. Plus there is no
masquerading on that network; everything is real IP's. I explained most of
that in a private e-mail.

-- 
Nate Carlson <carlson@real-time.com>    | Phone : (612)943-8700
http://www.real-time.com                | Fax   : (612)943-8500

Follow-Ups:
- Re: [TCLUG:13179] Firewall!!! (again)
  - From: Scott Dier - dieman <dieman@ringworld.org>

References:
- Re: [TCLUG:13179] Firewall!!! (again)
  - From: ^chewie <chewie@wookimus.net>

Prev by Date: Re: [TCLUG:13179] Firewall!!! (again)
Next by Date: Re: [TCLUG:13172] LinuxPPC
Prev by thread: Re: [TCLUG:13179] Firewall!!! (again)
Next by thread: Re: [TCLUG:13179] Firewall!!! (again)
Index(es):
- Date
- Thread