TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:13179] Firewall!!! (again)
Still.
Doing just a straight ALL is like asking for it.
You need to quantify which IP's can do what to make this security scheme
effective.
On Tue, 1 Feb 2000, Nate Carlson wrote:
> On Tue, 1 Feb 2000, ^chewie wrote:
> > AAAAHHHHHHH!!!!!!!
> >
> > *REEOOOO...REEEEOOO...REOOOOO* Achtung!!! Alarm! No! Nicht! Niet!
> > Nada!!!
> >
> > You have the classic Internet-DMZ-LAN setup... Check out section 7 of the
> > IPCHAINS-HOWTO. It's pretty straight forward. In fact, I've modeled most
> > of my firewall stuff off it. What you need to do, though is set up a
> > lan-dmz chain and a dmz-lan chain.
> >
> > Your lan-dmz chain should allow your client-server traffic, including
> > ping. If you have an email server or web server in your dmz, then that is
> > the traffic you let through. If you want ping, then let that through, but
> > you should not do the following:
> >
> > ipchains -P forward ACCEPT
> >
> > unless the last rule of the chain is:
> >
> > ipchains -A forward -j DENY -l
> >
> > Otherwise, you're just opening yourself up. You basically said, "Yeah,
> > I'll accept any internet traffic coming through to my LAN." Yes, it's
> > more complicated than that, but it's usually a good practice to log those
> > denied packets you don't expect to see very often. Plus, it gives you a
> > good view as to what type of traffic you see on your networks.
> >
> > My advice to you is read IPCHAINS-HOWTO more closely. If you need the
> > quick fix between your LAN net and your DMZ net, use a rule like
> >
> > ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
> > ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
> > ipchains -A forward -j DENY -l
> >
> > At least this way if you have a packet that hits your inet-if and tries to
> > destin itself for your dmz or your lan, it won't get forwarded.
> >
> > Another hint, the -j DENY -l is VERY useful for debugging WHY something
> > won't go through. Open up a console w/'tail -f /var/log/syslog' and play
> > around. Add rules as you need too.
> >
>
> Yup. But he just needed to get things working. Plus there is no
> masquerading on that network; everything is real IP's. I explained most of
> that in a private e-mail.
>
>
--
Scott Dier <dieman@ringworld.org> #nicnac@efnet 612.301.0265
destiny's admin | Robots are most often found in server rooms,
http://www.ringworld.org | wire closets, switching stations-basically,
finger me at | anywhere that offers maximum expousure to
dieman@destiny.ringworld.org| technology and minimum interaction with
for gnupg/pgp key | human beings.
| -NetSlaves(the book)/B.Lessard/S.Baldwin
| (Robot is a NetSlave caste)