Re: IPChains and firewall rules

[marty <marty () supine com>]

> There isn't going to be any blocking of internal to external traffic.  There
> will be DHCP for the internal network and IPMasq running of course.
> What about IP spoofing, any rules that should be added for that?
> There will be no users logging in from the outside for now ( maybe with SSH
> later on, but I don't think that will be a problem).

A few things you have to consider:

the "internal -> external" traffic you are letting thru will generate
responses which need to be let back thru the firewall (best done by the
firewall holding state - ie. it remembers what connections have been
opened by internal hosts and allows traffic thru for those connections)...

if you are allowing ftp, either you need some way of the firewall to
recognise the ftp server opening a valid data channel, or the clients need
to support passive open, where they initiate the connection...

later
marty

"I can't buy what I want because it's free. Can't be what they want
because I'm me." - Corduroy, Pearl Jam


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards