Hi everybody,
First I thank
David <[EMAIL PROTECTED]> ,
Fuzzy <[EMAIL PROTECTED]> and
Lourdes <[EMAIL PROTECTED]>
for their explanations.
I'm sorry for some of you, but maybe I will be a bit boring.
In fact, in spite of all your explanations,
all the things related to the rules -F -I -O are still
not very clear to me.
I'd like to ask you other questions so that we will
conclude to a perfectly clear and easy definition for this points.
Maybe this will help everybody to clarify theirs thoughts
(and mines first ;-) )
So this mail will be in two parts first I will comment
the explanations of David, Fuzzy and Lourdes.
In the second part, I will try to summarize this topic.
Send me then your comments.
This will be helpfull to everybody.
---------------------------------------------------
Part one:
~~~~~~~~~
From David A. Ranch 's Email:
> - All interfaces (any network cards, the localhost
> interface, etc) on a Linux box have INPUT, OUTPUT,
> and FORWARD rules.
So does that mean I have to write -I rules AND -O rules
for BOTH NIC ???
> After that original email, I've updated it a little more.
> See below:
(Don't forget to change the WebSite also; Last update : 10/12/99)
From Lourdes A. Jones 's Email:
He help me lot to clarify this previous mechanism.
> > /sbin/ipfwadm -F -a m -S 192.168.0.7/32 -D 0.0.0.0/0
> > ###### THIS WORK FINE BUT ALLOWS ALL ACCESS FOR THIS IP
> Actually it just means that your are masqing all forwards from that machine.
> You've said nothing about return traffic from the internet one way or
> another. And you haven't specified what your output rules are. (hint: you
> go through output rules before you go through forwards rules)
So you mean Forward rules are Leaded by the Output ones ?
Can you explicit the way the -F work ?
Can I have the same Forwarded behaviour with
the rules -I & -O ?
> > #/sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.0.7/32 80 -D
> > 0.0.0.0/0
> > 1024:65535
> > ###### BUT THIS DOESN'T WORK !!!
> > ###### AND THIS EXACTLY THE LINE I FOUND IN THE HOWTO !!!
> Which HOWTO are you refering to? I can't find a match to your rule in the
> IP Masquerade mini HOWTO.
>From the french Firewall-HOWTO translated by B. Choppy.
This rule would allow web connection to external Web server.
From Fuzzy Fox 's Email:
> I don't recall the web site that has a picture diagram showing the
> relationship, but it's basically this:
Maybe the TrinityOS ... ;-)
> If the packet is to be forwarded, it is passed through the
> FORWARD ruleset.
I start to be very confused : when do I know
a packet has to be forwarded ?
> >From the above, you can see that a packet which is being forwarded
> through your masq box will be passed by all three rulesets: Through
> INPUT when it comes in, through FORWARD when it gets forwarded, and
> through OUTPUT when it goes out.
Very confused...
Does that mean the -F rules lead the packets behaviour
between my 2 NIC in the linux box ??
---------------------------------------------------
Part 2:
~~~~~~~
We know from the TrinityOS document that to build
a reliable filtering Firewall, we have to consider
the 5 fallowing rules sets:
- Incoming traffic on the Internal Lan.
Traffic from private host to the linux box on the internal NIC
So any traffic from the external NIC with one of my private
address is IP spoofing.
- Incoming traffic on the External Lan.
Traffic from the world to the linux box.
This one is very important in terms of security.
- Outgoing traffic on the Internal Lan.
Traffic from my linux box to the private Lan.
In the same way, all traffic toward the private Lan
from the external Nic is spoofing.
- Outgoing traffic on the External Lan.
Traffic from the Linux box to the world.
What do I want my linux box answer to ?
- Forwarding traffic from the Internal Lan.
?????????
(and then come the rules for the trusted hosts
and the ones for portforwarding...)
Other well understood points :
Because :
"
> Just to clarify a little - by default TCP/IP uses high ports 1024:65535 when
> talking to any low port 0:1023. (In practice the linux kernel only uses
> ports 1k:32k).
"
..., I have to enable High ports for Input Rules if I want
the telnet I do on external box to work
And in a same way I have to enable High ports for
Output Rules if I want the telnet people does on
my internal box to work !!
And this is the same for all TCP traffic.
Thank for reading...
Have a nice week-end (in cairo it's friday and saturday!)
Marc Cassuto.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
