Re: [masq] Locking down port 80

Thu, 20 Aug 1998 00:39:27 -0400 

Stephen Mills <[EMAIL PROTECTED]> wrote:
>
> This may sound stupid, but I'd like to lock down port 80 on one of my
> installations.

That's what a firewall is for.  :)

> /sbin/ipfwadm -F -p deny
> /sbin/ipfwadm -F -a m -S128.100.0.50/16 -D0.0.0.0/0
> /sbin/ipfwadm -F -P tcp -a reject -W eth0 -S 128.100.0.50/16 -D 0.0.0.0/0
> 80 -o

This is close, but I think you want to use -i instead of -a on that last
line, or, put the masq line after the reject line.

> IP firewall forward rules, default policy: deny
> type  prot source               destination          ports
> acc/m all  net.utoronto.ca/16   anywhere             n/a
> rej   tcp  net.utoronto.ca/16   anywhere             any -> http

You can see what's happening:  The packet needs to be forwarded; the
kernel searches for a matching rule from the top of the list; as soon as
it sees the masq rule, it matches, so the search ends.

If you put the port-80 rule first, then it will stop the packet from
being forwarded.

> Secondly, (this is pushing it I know) is it possible to only let
> certain users use port 80??

Sure.  It's just an extension of the above.  Give the firewall a rule
that tells it to pass on port-80 packets from certain addresses.  Just
make sure the rule comes before the generic rule that denies them.

    /sbin/ipfwadm -F -p deny
    /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.2/32 -D 0.0.0.0/0 80
    /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.3/32 -D 0.0.0.0/0 80
    /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.4/32 -D 0.0.0.0/0 80
    /sbin/ipfwadm -F -P tcp -a reject -W eth0 -S 128.100/16   -D 0.0.0.0/0 80 -o
    /sbin/ipfwadm -F -a masq -S 128.100/16 -D 0/0

It's easy once you realize that the list is searched from top to bottom,
and that masquerading is just a particular behavior that's triggered by
a firewall rule.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      ||   "Her lips said 'No,' but her
sometimes known as David DeSimone  ||    eyes said 'Read my lips!'"
  http://www.dallas.net/~fox/      ||
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to