Again, I know I'm late in this thread, but... On Tue, 7 Dec 2004, at 11:44am, [EMAIL PROTECTED] wrote: > I have a simple home network with a combination of machines behind a Linux > box that's doing NAT/firewall duty. If I rigged that NAT box such that > it'd allow establishment of no inbound connections of any kind but > forwarded all outbound connections from any machine behind it (doing NAT > for all) couldn't I just basically turn off all other firewall functions > in that NAT box?
What's a firewall? Serious question. Think about it. A firewall is a device to control network access. It isn't a magic "make the network more secure" box. How much or how little control you want/need/should-have is not a function of the implementation. The kernel doesn't have a big red "firewall" switch; it has tools you can use to various ends. Some of those ends are called a "firewall" by some people. Exactly which get called "firewall" vary depend on who you ask. Now look at IPTables. IPT includes packet selection, state tracking, and rewriting To do simple masquerading (one-to-many dynamic NAT), we use: Selection rules to determine which source addresses to masquerade; state tracking to monitor which packets get associated with which connections; rewriting to change the addresses and port numbers accordingly. To accomplish a standard firewall, we use the selection rules again, of course, to match packets we want or do not want; and the state tracking, to make it possible to say "allow these connections" rather then matching on packet characteristics. You'll notice that both masquerading and firewalling use the same components for much the same reasons. So how do you disable the "firewall functions" while keeping the masquerading? You can even get a basic, although fairly restrictive, firewall with just selection rules. You drop everything but TCP, and you only allow TCP packets inbound if they are not SYN (initiation) packets. This is a classic stateless packet filter, and was all we had with kernel 2.2. > If I rigged that NAT box such that it'd allow establishment of no inbound > connections of any kind ... Doesn't that qualify as a firewall policy? A rather typical one at that, in fact. Most of your "SOHO routers" do just that. At least, one hopes they do. > ... even if I had a fancy set of firewall rules in effect. Fancy? How about: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i $LAN -j ACCEPT iptables -A INPUT -m state --state ! ESTABLISHED,RELATED -j REJECT iptables -A FORWARD -i $LAN -j ACCEPT iptables -A FORWARD -m state --state ! ESTABLISHED,RELATED -j REJECT That will deny anything inbound you didn't start yourself. Disclaimer: It's late and I'm tired. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [email protected] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
