Hi Leonard
On Wed, 29 Nov 2000, Leonard den Ottolander wrote:
> Hello Charles,
>
> > Since I'm only interested in packets that would be routed to me,
> > can I use a.b.c.136/30 as a destination (-d)? I ask because I'm not
> > 100% sure if this renders 136 and 139 useless sicne they are the
> > network and broadcast addresses for this subnet.
>
> Sadly, you loose two addresses if you try subnetting. (You should have gotten
> yourself an 8 IP range ;) ).
I just may :)
> With your first setup you'ld have to route the subnet address(es), but
> your ISP does not route to your gateway, but to the specified
> addresses.
Ah ha. now you're onto something. This is the bit I don't understand.
I have been using a single IP and NAT and a bit of port forwarding to
internal machines for a while now. I'm very confortable with that.
Recently I picked up the extra IPs, and have done aliasing of multiple IPs
on a single interface, but all the IPs on the same machine.
Now, with my new [planned] setup I am obviously confused! How would I get
my ISP to route to my gateway? What Ip would it need to be (i'm assuming
136), or does it not matter?
> By the way, you can't set an interface address to a range. I guess
> you'll end up aliasing the external interface of the gateway with the
> 4 IP addresses and forwarding the necessary ports.
yes, I understand this. This is what I have been doing up until now, at
least for http. This is why I was asking if there are ussues with ftp
(both client and server) doing it this way. I may very well end up doing
this, but doesn't this defeat the point of having a DMZ then?
> Bye,
>
> Leonard.
>
> P.S. For the ipchains rules you can use the network/netmask pair, as you
> probably usually do.
ok, this was probably the crux of my questions. Just to be clear, are you
say that *yes* I can do this and the rule will apply to all 4 ips?
ipchains -A input -i eth1 -y -p TCP -d a.b.c.136/30 --destination-port
:1023 -j DENY -l
This is specificaly for the interface to the world on my firewall.
I'll tell you why I got into this. I setup a rule like this to deny all
traffic to ports below 1024 and log them. I inserted rules in front of
this to allow the traffic I wanted.
ipchains -A input -i eth1 -y -p TCP --destination-port :1023 -j DENY -l
Now, this worked great except I noticed a hell of a lot of traffic like
netbios, bootp etc getting logged. I don't want to log the broadcast stuff
and things I know will allways be goign on. I started down the road of
denying those without logging first, but then noticed that packets
destined for other hosts than mine were getting logged too.
Anyway, so then I thought what I should be doing is *only* be looking at
the traffic that is destined for my box in the first place. And this is
how I go to wondering if I could use the 255.255.255.252 netmask to
specify all 4 in one rule.
phew
thaks a lot
charles
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
