Firewall Wizards mailing list archives

RE: Transparent Proxy and IPChains

From: Michael Walter <walterm () gliatech com>
Date: Fri, 21 Apr 2000 09:01:42 -0400

ipchains -A output -i $LOCAL_NIC -f -j DENY

Replace $LOCAL_NIC with your interface, this will drop all packet fragments
after the first, causing the interface to re-submit them and forcing
defragmenting at the interface.


Michael J. Walter
mcse mcp+i rhce a+
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm () gliatech com <mailto:walterm () gliatech com> 


        -----Original Message-----
        From:   Jason L. Esman [SMTP:jesman () edpm com]
        Sent:   Wednesday, April 19, 2000 3:13 PM
        To:     'Ryan Russell'; 'Jason L. Esman'
        Cc:     firewall-wizards () nfr net
        Subject:        RE: [fw-wiz] Transparent Proxy and IPChains

        IP: always defragment is not an option in the kernel configuration.
I am
        using 2.2.14 I've tried this and it still isn't working. I am now
hunting
        through all my rules to see if I missed something. I have everything
else
        listed below right except for the IP: always defragment
        Jason L. Esman


        -----Original Message-----
        From: Ryan Russell [mailto:ryan () securityfocus com]
        Sent: Wednesday, April 19, 2000 1:20 PM
        To: Jason L. Esman
        Cc: firewall-wizards () nfr net
        Subject: Re: [fw-wiz] Transparent Proxy and IPChains


        Pardon me asking the obvious...

        Have you checked out:
        http://squid.nlanr.net/Squid/FAQ/FAQ-17.html#ss17.7

        (Never done it myself.. but i was curious, and went looking.  That's
what
        I found.)

        This seems relevent, and I don't think you said if you had it on:

        "You must include the IP: always defragment, otherwise it prevents
you
        from using the REDIRECT chain."

        And perhaps:

        "Also, Andrew Shipton notes that with 2.0.x kernels you don't
        need to enable packet forwarding, but with the 2.1.x and 2.2.x
kernels
        using ipchains you do. Packet forwarding is enabled with the
following
        command:

                echo 1 > /proc/sys/net/ipv4/ip_forward"

        Though I suspect if IPChains is working otherwise, this is already
the
        case.

                                                Ryan

Current thread:

Transparent Proxy and IPChains Jason L. Esman (Apr 18)
- Re: Transparent Proxy and IPChains Ryan Russell (Apr 20)
  - RE: Transparent Proxy and IPChains Jason L. Esman (Apr 20)
    - RE: Transparent Proxy and IPChains Paul D. Robertson (Apr 24)
- <Possible follow-ups>
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)
  - RE: Transparent Proxy and IPChains Jason L. Esman (Apr 26)
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)