/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Bruno Melloni <[EMAIL PROTECTED]> wrote:
>
> In my configuration the masquerading/firewalling is done on the same
> Linux server that handles all my internal functionality, as well as
> external DNS, http, ftp, etc. I expected that with the above policies
> all internet-originated traffic would be blocked, but found that I can
> still use telnet, DNS, etc from the internet.
The masquerade code is not a firewall, exactly. It is a many-to-one IP
mapping system. There is nothing inherently firewalling about this
setup, except that the many IP's are usually unreachable because of
routing issues, hence the desire for masq in the first place.
However, masqing and firewalling are similar enough that masq uses the
ipchains firewall mechanism as its configuration utility, and it piggy-
backs on some of the internal functions, because it's convenient. As
such, while enabling masq requires you to also enable firewalling, just
setting up masq does NOT set up any particular firewall, other than the
natural protection that the hidden LAN retains.
> Is this an indication that the ipchains policies only apply to traffic
> between the inside and outside network and not to the firewall machine
> itself?
Yes, because the only rules that you added were to the "forward"
ruleset. Those rules only govern traffic that is being FORWARDED
through the machine, from one interface to the other.
> Or is it just that I have to delve deep into all the ipchains options
> and put in better and more specific policies?
You will find that true firewalling, where you block traffic to your
machine and/or network, is accomplished with the "input" ruleset. This
governs all traffic that attempts to enter the machine, including
forwarded traffic, masqueraded traffic, even some locally-generated
traffic. As such, you can easily make your networking completely
unuseable by setting this up wrong. :)
You will also find that setting up a strong firewall is a tricky
business, because it is not always obvious what types of traffic you can
allow or deny to make it work the way your users (and you) want it to.
Initially I set up a "weak" firewall. This was a firewall that
permitted most any type of traffic, and then I would set up rules to
deny particular traffic (ftp, telnet, NFS, RPC, SMB) that I knew I would
not want to see from the Internet. This wasn't too hard, and worked
well.
Later, I set up a "strong" firewall, which denied everything, and then
explicitly set up rules to allow the traffic I want. If you try to do
this, you will run into some trouble, and find applications that don't
work, and it will take some study to find out what they are, and why
they don't work. You will also have to make compromises. For instance,
if you set up to allow ftp, you have to pretty much allow any arbitrary
TCP traffic in a non-root port range. But you can still make a stronger
firewall than the "weak" one I describe above.
If you're looking for ready-made firewall solutions, I believe TrinityOS
has some useful tips on this subject. I think the firewall setup there
matches closely with the "weak" firewall I describe above, using an
allow-all, deny-some methodolgy. The archives will also show you some
other solutions, which I have not investigated, because I prefer to roll
my own firewall by hand. :)
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
