TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TCLUG:13179] Firewall!!! (again)



Still.

Doing just a straight ALL is like asking for it.

You need to quantify which IP's can do what to make this security scheme
effective.

On Tue, 1 Feb 2000, Nate Carlson wrote:

> On Tue, 1 Feb 2000, ^chewie wrote:
> > AAAAHHHHHHH!!!!!!!
> > 
> > *REEOOOO...REEEEOOO...REOOOOO*  Achtung!!!  Alarm!  No!  Nicht!  Niet!
> > Nada!!!
> > 
> > You have the classic Internet-DMZ-LAN setup...  Check out section 7 of the
> > IPCHAINS-HOWTO.  It's pretty straight forward.  In fact, I've modeled most
> > of my firewall stuff off it.  What you need to do, though is set up a
> > lan-dmz chain and a dmz-lan chain.
> > 
> > Your lan-dmz chain should allow your client-server traffic, including
> > ping.  If you have an email server or web server in your dmz, then that is
> > the traffic you let through.  If you want ping, then let that through, but
> > you should not do the following:
> > 
> > 	ipchains -P forward ACCEPT
> > 
> > unless the last rule of the chain is:
> > 
> > 	ipchains -A forward -j DENY -l
> > 
> > Otherwise, you're just opening yourself up.  You basically said, "Yeah,
> > I'll accept any internet traffic coming through to my LAN."  Yes, it's
> > more complicated than that, but it's usually a good practice to log those
> > denied packets you don't expect to see very often.  Plus, it gives you a
> > good view as to what type of traffic you see on your networks.
> > 
> > My advice to you is read IPCHAINS-HOWTO more closely.  If you need the
> > quick fix between your LAN net and your DMZ net, use a rule like
> > 
> > 	ipchains -A forward -i <lan-if> -s <dmz.net>/<mask> -j ACCEPT
> > 	ipchains -A forward -i <dmz-if> -s <lan.net>/<mask> -j ACCEPT
> > 	ipchains -A forward -j DENY -l
> > 
> > At least this way if you have a packet that hits your inet-if and tries to
> > destin itself for your dmz or your lan, it won't get forwarded. 
> > 
> > Another hint, the -j DENY -l is VERY useful for debugging WHY something
> > won't go through.  Open up a console w/'tail -f /var/log/syslog' and play
> > around.  Add rules as you need too.
> > 
> 
> Yup. But he just needed to get things working. Plus there is no
> masquerading on that network; everything is real IP's. I explained most of
> that in a private e-mail.
> 
> 

-- 
Scott Dier <dieman@ringworld.org> #nicnac@efnet 612.301.0265
      destiny's admin       | Robots are most often found in server rooms, 
 http://www.ringworld.org   | wire closets, switching stations-basically,
       finger me at         | anywhere that offers maximum expousure to
dieman@destiny.ringworld.org| technology and minimum interaction with
     for gnupg/pgp key	    | human beings.
			    |  -NetSlaves(the book)/B.Lessard/S.Baldwin
			    |    (Robot is a NetSlave caste)