Victor, If you are initiating the applications from the box that has the ipchains on it, add a rule like this:
ipchains -A input -s 0/0 -d 0/0 -p tcp ! -y -j ACCEPT This allows connections that you *initiated* from the box to accept part #2 of the three-way tcp handshake, to establish the connections. This *will not* permit anyone to arbitrarily establish any connection they like with your box (there are plenty of other rules/services to do that), so theoretically, you are still protected, depending on the configuration of the system and other services you are running. If you are planning to run the firewalled box as an NFS server... good luck! :) Nonetheless, you would have to allow udp/tcp connections (depending on your needs) to port 2049 (nfs) from whatever IP addresses you expect nfs connections. i.e. ipchains -A input -s x.x.x.x/32 -d y.y.y.y/32 -p udp 2049 -j ACCEPT ipchains -A input -s x.x.x.x/32 -d y.y.y.y/32 -p tcp 2049 -j ACCEPT Also, since NFS requires the portmapper to be running, you have to make rules for port 111 (tcp/udp): ipchains -A input -s x.x.x.x/32 -d y.y.y.y/32 -p udp 111 -j ACCEPT ipchains -A input -s x.x.x.x/32 -d y.y.y.y/32 -p tcp 111 -j ACCEPT Since mountd, lockd, and statd (which are also part of using NFS) float around ... (see http://nfs.sourceforge.net/nfs-howto/security.html) ... you can either allow *particular IP addresses* access to all (or a range of) your ports (not a great idea), or have the daemons run explicitly on certain ports using the "-p" option and write the appropriate ipchains for those ports. Personally, I would suggest not using NFS, and/or finding a more secure alternative. I have yet to find an instance in which the "convenience" of running NFS outweighs the security hazards with which NFS has become associated. If you are planning to run the firewalled box as a samba server, you will have to allow connections *to* udp/tcp ports 137,138, & 139, from whichever designated IP addresses you have in mind. i.e. ipchains -A input -s ip.of.trusted.host/32 -d ip.of.your.host/32 137:139 -p udp -j ACCEPT ipchains -A input -s ip.of.trusted.host/32 -d ip.of.your.host/32 137:139 -p tcp -j ACCEPT For more info see Kurt's Site: http://www.seifried.org/lasg/network-servers/file-print/samba.html The more specific you are in your rules about "who, where, and what" in your rules, the better! all the best, justin On Sun, 17 Feb 2002, Victor Usjanov wrote: > Hello > > I am trying to run ipchains firewall on my computer connected to corporate > nettwork. I created a set of rules that let web and mail and ssh traffic in > and out, and it works just fine. But i got a problem with NFS and samba > traffic. I did not manage to get it running until i placed "-A input -s > 0/0 -d 0/0 -i eth0 -j ACCEPT" in the ipchains.conf file. But, as far as i > understand this opens for all traffic to all ports over eth0 ( which is the > only network interface in my computer), which is not 100% secure.. or am i > wrong here? > I have tried to remove the above line and add "-A input -s 0/0 139 -d 0/0 -i > eth0 -p tcp -y -j ACCEPT" to let samba traffic in, but nothing happened ( it > startet to deny all kinds of traffic) > > I have tried to search around for hints how to set up ipchains, but all > examples i find describe how to make a conf file for a firewall with a whole > nettwork behind, but not for a stand alone computer. > > I feel kind of lost here... and IPchains-howto on linuxdoc didnt help a lot. > Some can help a little? May be someone knows of some examples i can look at? > > > Thanks in advance > -- > Victor > >
