/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
Matthew Ramsay <[EMAIL PROTECTED]> wrote:
>
> No restrictions to the other machines can be setup as follows:
> ipfwadm -I -a accept -V 192.168.0.1 -P all -S 0.0.0.0/0 -D 0.0.0.0/0
This says that you'll accept anything that comes from your internal
machines. Since that's the default, I'm not sure why you feel the need
to make it explicit..?
> ipfwadm -F -a m -S 192.168.0.1/32 -D 0.0.0.0/0
This means traffic will only be forwarded and masqueraded if it comes
from 192.168.0.1. Since that's your firewall box's IP, and it's not
going to try to forward through itself, this rule does nothing. I would
be rather surprised to learn that your clients are working properly with
this config.
ipfwadm -F -a masq -S 192.168.0.0/24 -D 0.0.0.0/0
This would be more correct, in my view.
> If I want to block all access to the other machines it would be as follows:
> ipfwadm -I -a reject -S 192.168.0.1/32 -D 0.0.0.0/0
Well, actually... your client boxes are all on a non-routed private
network. They are *already* blocked from the rest of the net, because
their IP's are largely unreachable by most of the net. A determined
hacker *could*, I suppose, try to forward packets directly to your
machine, and make them look like they are destined for one of your
192.168.0.x addresses, but if you set your forwarding policy to default
reject, those packets won't get through.
Your rule as given only rejects packets that appear to be coming from a
source of 192.168.0.1, and since that's your masq box's IP, this rule
probably will not see any traffic that matches.
If you still wanted to be certain you don't see any private-LAN traffic
coming in, you'd use a rule like this:
ipfwadm -I -i reject -S 192.168.0.0/24 -D 0.0.0.0/0
But this would also prevent your client boxes from talking to you over
the internal LAN! So you would need to add a qualifier that identifies
the external interface. If that interface is, say, ppp0, your working
rule would look like this:
ipfwadm -I -i reject -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
Make sense? Note that I have used "-i" to put the rule at the top of
the set. This makes sense for restrictive rules like these.
> ipfwadm -I -f
> ipfwadm -I -p accept
> ipfwadm -O -f
> ipfwadm -O -p accept
> ipfwadm -F -f
> ipfwadm -F -p accept
These policies are all the defaults. Input and output policies can be
accept, if you want, but you should try to install some restrictive
rules on the input ruleset, if you want good firewalling.
The forward ruleset should have a default policy of reject, in my
opinion. You want to be explicit about what forwarding you allow.
> And if i simply want to block certain ports to the other machines (say 25, 80,
> 110) I would do the following:
> ipfwadm -I -i reject -P tcp -S 0/0 -D 192.168.0.1/32 25 80 110
Here, it's not clear what you're trying to do. Are you trying to
prevent machines on the external net from reaching those ports on your
firewall? Are you trying to keep machines inside your LAN from reaching
those ports on external hosts?
Your rule, as written, only prevents traffic that tries to talk to your
*internal* LAN interface. Since you're masquerading, presumably you
have an *external* interface, and you'd like to deny traffic talking to
that interface's ports. That is the most common firewalling setup.
If you have a dynamic IP address, hard-coding the IP into your firewall
rules is not going to work. Instead, you can simply encode the
interface in the rules, and it will work just as well. Again following
my above example:
ipfwadm -I -i reject -W ppp0 -P tcp -S 0/0 -D 0/0 25 80 110
Note that you might also want to add "-o" to these rules, so that
attempts to contact these ports are logged.
> And lastly, If one of the other machines has an IP address of 192.168.0.123 I
> could block certain ports via:
> ipfwadm -I -i reject -P tcp -s 0/0 -D 192.168.0.123/32 25 80 110
Again, this is an unlikely scenario, because an external machine trying
to reach your internal net would be stopped (a) by the natural firewall
that comes from using non-routeable IP addresses, and (b) because your
masq box should refuse to forward the traffic in the first place.
> Is this all correct? Am I missing something?
Is this all just conceptual thinking, or is there some configuration
that you're having trouble getting working?
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Just about every computer on the market
sometimes known as David DeSimone || today runs Unix, except the Mac (and
http://www.dallas.net/~fox/ || nobody cares about it). -- Bill Joy '85
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES
UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
