TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:13179] Firewall!!! (again)
On Tue, 1 Feb 2000, ^chewie wrote:
> AAAAHHHHHHH!!!!!!!
>
> *REEOOOO...REEEEOOO...REOOOOO* Achtung!!! Alarm! No! Nicht! Niet!
> Nada!!!
>
> You have the classic Internet-DMZ-LAN setup... Check out section 7 of the
> IPCHAINS-HOWTO. It's pretty straight forward. In fact, I've modeled most
> of my firewall stuff off it. What you need to do, though is set up a
> lan-dmz chain and a dmz-lan chain.
>
> Your lan-dmz chain should allow your client-server traffic, including
> ping. If you have an email server or web server in your dmz, then that is
> the traffic you let through. If you want ping, then let that through, but
> you should not do the following:
>
> ipchains -P forward ACCEPT
>
> unless the last rule of the chain is:
>
> ipchains -A forward -j DENY -l
>
> Otherwise, you're just opening yourself up. You basically said, "Yeah,
> I'll accept any internet traffic coming through to my LAN." Yes, it's
> more complicated than that, but it's usually a good practice to log those
> denied packets you don't expect to see very often. Plus, it gives you a
> good view as to what type of traffic you see on your networks.
>
> My advice to you is read IPCHAINS-HOWTO more closely. If you need the
> quick fix between your LAN net and your DMZ net, use a rule like
>
> ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
> ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
> ipchains -A forward -j DENY -l
>
> At least this way if you have a packet that hits your inet-if and tries to
> destin itself for your dmz or your lan, it won't get forwarded.
>
> Another hint, the -j DENY -l is VERY useful for debugging WHY something
> won't go through. Open up a console w/'tail -f /var/log/syslog' and play
> around. Add rules as you need too.
>
Yup. But he just needed to get things working. Plus there is no
masquerading on that network; everything is real IP's. I explained most of
that in a private e-mail.
--
Nate Carlson <carlson@real-time.com> | Phone : (612)943-8700
http://www.real-time.com | Fax : (612)943-8500