Re: [expert] IPmasq

Thu, 07 Jun 2001 20:49:37 -0700 

Pierre Fortin wrote:
 
> Felix Miata wrote:
 
> OK...  let's move on to the IPmasq stuff...  (changed subject line).
 
> Bryan D Howard <[EMAIL PROTECTED]> wrote:

> > rc.local is, unfortunately, not a good place to start up your
> > firewall.  It runs much too late in the boot process.  It's important
> > to configure ipchains *before* you enable your network interfaces so
> > that there won't be an interval during which you're not protected.

> > The startup script /etc/rc.d/init.d/ipchains which is part of
> > ipchains-1.3.9-6mdk.rpm is set up correctly to be started *before* the
> > network startup script runs.  And, of course, it doesn't shut ipchains
> > down until after shutting down the network interfaces.
 
> Bryan, Felix is using an older distro...  I'm not even sure it has rpm...

Turns out it isn't that old. Kernel date is 15 months ago, v 2.2.14, RHL
6.2. I forgot all about installing it nearly a year ago. Since then I
was using the machine for little more than a DOS EPROM burner.
 
> > > > /sbin/ipchains -P forward DENY
> > > > /sbin/ipchains -A forward -s 192.168.0.0/16  -j MASQ

> > > This is minimal NAT...  you probably want to firewall your network...  There are

> > > probably many different ways to do it; but here's what I used to have...

> > > /etc/rc.d/rc.local:
> > >   #rc.firewall script - Start IPMASQ and the firewall
> > >   /etc/rc.d/rc.firewall

> > So do I put the two ipchains statements into /etc/rc.d/rc.firewall and
> > then discover what else belongs in there by reading the links below?

> > > /etc/rc.d/rc.firewall:
> > > See http://rob.acol.com/~wlug/files/ipchains-firewall/ipchains-firewall.htm
> > > and http://www.linux-firewall-tools.com/

> > What I've read above so far is like reading command reference manual.
> > Yuck!
 
> Well... you can use the two ipchains statements which profide no protection, or
> you can use the tools to build a firewall (which can contain over 500 lines_...
> I'll send you an old example privately...

So the answer is a qualified yes? IOW, the two statements get me
connected, but with mere NAT for protection until I institute further
precautions based upon your example and the provided links?

As it turns out, I tried what I supposed. It works, with one (two?)
kink(s). Right before boot completes to a prompt, I get an extra prompt
for a root password. Before it got to be that good, preceeding the
password prompt was another prompt suggesting I needed to run echo 1 >
/proc/sys/net/ipv4/ip_forward, and giving me a chance to do it. This I
added to /etc/rc.d/rc.firewall.
-- 
A fool gives full vent to his anger, but a wise man keeps himself under
control.                Proverbs 29:11 NKJV

Felix Miata  ***  http://mrmazda.members.atlantic.net/


Reply via email to