RE: IPtables + PCAnywhere

["Madsen, Villy" <Villy.Madsen () atcoitek com>]

Oops,,,  my fingers ran away from me!!

In the following, for "are necessarily bad"  read " are not necessarily bad"

Sorry!!

Villy

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of 
Madsen, Villy
Sent: Thursday, May 06, 2004 8:27 AM
To: ionut () prolinux ro; Wellington Lopes Moraes
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] IPtables + PCAnywhere


While I wholeheartedly agree with the comment re: the last rule,

I also believe that drop rules scattered throughout the rules base are necessarily bad.

As an example,  if the first 5 (pick a number) rules control 99% of the traffic, and the last 30 rules control 1% of 
the traffic, then a drop rule after the first 5 might not be such a bad idea (as long as it doesn't break what follows).

As an example

Rules to specify what is allowed into the DMZ
Drop anything else destined for the DMZ

Rules to specify traffic allowed from dmz to internal network Drop anything else from DMZ to internal network


Anything that gets here is dropped!

This works especially nicely with the newer versions of Checkpoint, where you can logically group the rules, and just 
look at the group that you are interested in....

Villy Madsen ISP GSEC & the usual checkpoint certifications.


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of 
Ionut Boldizsar
Sent: Wednesday, May 05, 2004 4:38 PM
To: Wellington Lopes Moraes
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] IPtables + PCAnywhere


On Tue, 2004-05-04 at 13:35, Wellington Lopes Moraes wrote:
> Hi there! I´m beginning to work with iptables and I got a big
> problem...
>
> I have the following situation:
>
> - A server with 2 network interfaces (eth0 and eth1) as follows:
>
> LAN_IP="192.168.0.21"
> LAN_IFACE="eth0"
>
> INET_IP="192.168.7.106"
> INET_IFACE="eth1"
>
> PCANY="192.168.0.32" (computer that have PCAnywhere).
>
> I have 1 computer in the Lan interface that has PCAnywhere installed,
> and I need to make sure that this computer can access and be accessed 
> by other computers via PCAnywhere.

Your firewall ruleset is _huge_. And do not get me wrong, but this is far from being allright.

First, you have a lotta drops there, and this is not the way things should be done. I would suggest you to remove all 
the lines with DROP target. For this you have the so called "catch-all rule", which basically is a single drop rule at 
the end of the ruleset.

Then, you should optimize your ruleset. This means that you should move upper in the ierarchy the rules describing 
intense traffic, because rules are read from up to down, in order. You can save some cpu cycles by doing this.

Regarding you particular question, I am not sure that you should dnat connections to that pcany host. Couldn't you just 
route them, and allow them in the forward chain?... In your topology, I see no reason for NAT-ing the connections.

Hope this helps (a little),

--
Ionut Boldizsar, CCSE+
technical manager
ProVision, Security Expert Center



_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards