Firewall Wizards mailing list archives

RE: IPChains and firewall rules

From: Henry Sieff <hsieff () orthodon com>
Date: Fri, 25 Aug 2000 15:57:19 -0500

You are still going to need rules, since IPChains does not implicitly
deny traffic from sessions initiated inside to come back.

You will want to read Rusty Russel's IPChains Howto
(http:\\metalab.unc.edu/pub/linux/docs/HOWTO/IPCHAINS-HOWTO)

You may lso want to chek out http://www.linux-firewall-tools.com/
which has a nifty web tool to generate an ipchains script; I wouldn't
use the output without understanding it because it'll be hard to make
appropriate changes safely if you don't grok ipchains.

Essentially, you will need to:
1) enable ip_forwarding
2) set rules to allow ipchains to forward appropriate packets from the
inside to the outside
3) set rules to allow the traffic to go in and out of the external
interface
4) set rules to allow traffic to go in and out of the internal
interface.

Anyways, the specific commands depends on what traffic you want to
allow and the topology of your network, location of name servers, etc
etc etc. Read the above resources, and try on your own (its really the
only way to do it right) and if you have specific rules that aren'w
working, they can be troubleshot easier.

-----Original Message-----
From: Simeon Johnston [mailto:simeonuj () eetc com]
Sent: Friday, August 25, 2000 2:47 PM
To: Firewall Wizards
Subject: [fw-wiz] IPChains and firewall rules

I am setting up a firewall for a small company and am 
wondering what kind of
rules to use with ipchains.  It is running on a SuperSPARC 10 
and will not
allow any access through to the internal network.  What I am

wondering

specifically is if I need any rules at all.  If the default 
input policy is
to deny and I have turned off all open ports to the outside, 
what use is
there in having rules to block nonexistent traffic?
I have not really done this before so if I am wrong, please 
bring me to the
Light.
There isn't going to be any blocking of internal to external 
traffic.  There
will be DHCP for the internal network and IPMasq running of course.
What about IP spoofing, any rules that should be added for that?
There will be no users logging in from the outside for now ( 
maybe with SSH
later on, but I don't think that will be a problem).

Any ideas

sim 

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

IPChains and firewall rules Simeon Johnston (Aug 25)
- Re: IPChains and firewall rules Darren Reed (Aug 26)
- Re: IPChains and firewall rules marty (Aug 26)
- <Possible follow-ups>
- RE: IPChains and firewall rules Henry Sieff (Aug 26)