[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firewall question



On Tue, Sep 11, 2001, Ira Abramov wrote about "Re: firewall question":
> On Tue, 11 Sep 2001, Nadav Har'El wrote:
> 
> > Actually, in ipchains you usually set up "input" and "output" chains, and
> > these protect both the packets coming to or going from the firewall machines,
> > and the ones forwarded to other machines. Thereis typically no reason to
> > put any rule on the "forward" chain itself. In such a typical setup, the
> 
> well, at least ONE rule will go in the forward chain, and that's
> masquarading.

Yes, of course :)

> rule of the thumb: default policy should be set to block-all and open up
> only what you need. if you open up port 80 on the firewall machine, it
> does not mean all the network behind it is also open, ofcourse.

Yes, of course you can have rules specifying specific source/destination
addresses. What I meant was that in ipchains, if you have a generic ip-
address-less rule like

	-A output -p TCP --dport whois --sport 1024: -j ACCEPT
	-A input -p TCP ! -y --sport whois --dport 1024: -j ACCEPT

(to allow whois(1) queries to any server), this rule will affect both the
firewall machine itself and the machines behind it.

In iptables (the newer 2.4 firewall mechaism) this is not so: the same
rule with the necessary syntax changes,
	-A OUTPUT -p TCP --dport whois --sport 1024: -j ACCEPT
	-A INPUT -p TCP ! --syn --sport whois --dport 1024: -j ACCEPT
will not be applied to forwarded packets at all.


-- 
Nadav Har'El                        |       Tuesday, Sep 11 2001, 23 Elul 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |I am thinking about a new signature. Stay
http://nadav.harel.org.il           |tuned.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il