Chuck Gadd wrote:
> I just set up a linux box to do Masquerading. But I think it's somehow masquerading
> packets from outside the local network!
>
> I have been getting a message in the log (and on the local console):
> kernel: ip_masq_new(proto=UDP): no free ports.
>
> And I just got an email from someone claiming that my box is
> port-scanning their machine.
>
> Putting these two together, I think I've got something bozo'd in the
> masquerading rules.
>
> I originally had:
> ipfwadm -F -p deny
> ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
This looks basically OK.
> I've since added the the following in an attempt to prevent spoofing
> of the local network address (where aaa.bbb.ccc.ddd is the "public" ip
> address of this linux box):
>
> ipfwadm -I -a deny aaa.bbb.ccc.ddd -S 192.168.1.0/24 -D 0.0.0.0/0
> ipfwadm -I -a deny aaa.bbb.ccc.ddd -s aaa.bbb.ccc.ddd -D 0.0.0.0/0
This syntax is bogus. Did you mean to have a -V in there somewhere?
> Am I close? What should I have for my firewall rules? This box has 2
> network cards, one connected to a T1 router, the other one connected
> to a local ethernet network. I want to do normal masquerading of the
> local network, and nothing else should get passed by the firewall.
Your original rules are OK, although I would add an interface
specification, i.e.
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.1.0/24 -W eth1
(assuming that eth1 is the external interface).
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
