-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
Using IPFWADM on Linux based on kernel 2.0.3x ; I have came out with
rules that could be easily deployed and it is also hosted online at
http://linux.s-one.net.sg
I am not very sure if my script and <firewall> rules will work on the
latest kernel 2.2.x but I would like you to have a look at it.
Here goes: -
# Start of IPFWADM rules by Moonshi Mohsenruddin
# <[EMAIL PROTECTED]> and <[EMAIL PROTECTED]>
#
# Write this file to /etc/rc.d/rc.firewall
# and link it to /etc/rc.d/init.d/runlevel
#
# If it is a success, pls email me.
# Thank you!
# Deny all system services (protocols)
/sbin/ipfwadm -F -p deny
# Flushed all Forwarding Rules commands
/sbin/ipfwadm -F -f
# Flushed all Incoming Rules commands
/sbin/ipfwadm -I -f
# Flushed all Outgoing Rules commands
/sbin/ipfwadm -O -f
# The following rules stops jerks/hackers from
# spoofing the private network
/sbin/ipfwadm -I -a deny -S 192.168.1.0/24 -W eth0
# Masquerade all private hosts to the Internet
/sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
# Accept traffic from Our Private Network
/sbin/ipfwadm -I -a accept -S 192.168.1.0/24 -W eth0
# Allow DNS queries to Our Private Network
/sbin/ipfwadm -I -a accept -P udp -S 0.0.0.0/0 53 \
- -D 0.0.0.0/0 53 -D 0.0.0.0/0 1024:65535
# Redirect HTTPD traffic request for Web Server
/sbin/ipfwadm -I -a accept -P tcp -D 192.168.1.x/24 80
# Redirect Outgoing emails to SMTP server
/sbin/ipfwadm -I -a accept -P tcp -D 192.168.1.x/24 25
# Redirect incoming POP3 emails to POP3 server
/sbin/ipfwadm -I -a accept -P tcp -D 192.168.1.x/24 110
# Redirect SSH server request
/sbin/ipfwadm -I -a accept -P tcp -D 192.168.1.x/24 22
# Add Input rules for Internet -> me for FTP data
# connection (masqueraded)
/sbin/ipfwadm -I -a accept -P tcp -S 0.0.0.0/0 20 \
- -D 192.168.1.0/24 1024:65535
# Add Output rules for FTP data connection
/sbin/ipfwadm -O -a accept -P tcp -S 0.0.0.0/0 20 \
- -D 192.168.1.0/24 1024:65535
# Add Incoming rules for FTP Server
/sbin/ipfwadm -I -a accept -P tcp -D 192.168.1.x/24 21
# Add Proxy rules for SQUID Server (if there is any)
/sbin/ipfwadm -I -a accept -P all -S 0.0.0.0/0 3128 \
- -D 192.168.1.x/24 1024:65535
- --
Cheers!
Moonshi Mohsenruddin
Technical Services Manager, Telford Solutions Pte Ltd
Member, Linux User Group Singapore (LUGS)
Editor, Singapore Linux Portal (SLP)
_______________________________________________
58 Sembawang Road #01-03 Hong Heng Mansions
Singapore 779087
Tel :+(65) 454-3118 Fax: +(65)454-0089
Mobile :+(65)9745-2310 ICQ:2595480
Email : [EMAIL PROTECTED], [EMAIL PROTECTED]
Url : www.telfordgroup.com ; http://linux.s-one.net.sg
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Denis Chapligin
> Sent: Wednesday, July 28, 1999 4:53 PM
> To: Glynn Clements
> Cc: [EMAIL PROTECTED]
> Subject: RE: ip_masq_ftp is not working
>
>
> Hi
>
> On Wed, 28 Jul 1999, Glynn Clements wrote:
>
> >
> > > > > I just had this same problem. I remembered I seen a
> post having to do with
> > > > > this, and here I am. when I ftp using windows 98 FTP
> command, I get this
> > > > > error when typing ls at the command line.
> > > > >
> > > > > Can't build data connection: no PORT specified
> > > > >
> > > > > Here is what I have found about IP Masquerading.
> When making a connection,
> > > > > the person behind the firewall must make the initial
> connection. Because of
> > > > > this, the ftp logs in to the remote system just fine.
> (You initiated the
> > > > > connection) When you type ls, the FTP server tries
> to open up an ftp-data
> > > > > port back to you, but it doesn't work! Why, because
> like I said, you must
> > > > > initiate the inital connection. How do you do this?
> I don't know.
> > > >
> > > > Sounds like you've forgotten to load the ftp
> masquerading module.
> > > >
> > > > # modprobe ip_masq_ftp
> > > >
> > > > should solve it.
> > >
> > > ip_masq_ftp is loaded okay. But it doesn't works.
> >
> > Do you have any firewall rules which would block inbound TCP
> > connections to ephemeral ports? If so, then you will have to use
> > passive (PASV) mode instead (where the client creates the data
> > connection).
> >
> >
> I have only one rule? that disables outgoing connections to
> port 80 on any
> host. And my clietns software does not support passive mode:(
> Denis Chapligin
>
> -
> To unsubscribe from this list: send the line "unsubscribe
> linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i
iQA/AwUBN55n0mefe0TVuy5lEQL8qQCcD5voH8FOIjAIYYnnvY1Psi5nN0sAoJ61
9CukW4Y9dxjz9OKTYTMb3FPz
=lAn2
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
