Firewall Wizards mailing list archives

RE: Transparent Proxy and IPChains

From: Michael Walter <walterm () gliatech com>
Date: Fri, 21 Apr 2000 10:39:28 -0400

Sorry, the previous instructions were a bit incomplete, these rules will
prevent fragmentation on an interface 

#  Don't output fragments
  ipchains -A output -i $LOCAL_NIC -f -j DENY

  #  Don't Accept Fragments
  ipchains -A input -i $LOCAL_NIC      -f -j DENY

Thanks,

Michael J. Walter
mcse mcp+i rhce a+
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm () gliatech com <mailto:walterm () gliatech com> 


        -----Original Message-----
        From:   Michael Walter 
        Sent:   Friday, April 21, 2000 9:02 AM
        To:     'Jason L. Esman'
        Cc:     'firewall-wizards () nfr net'
        Subject:        RE: [fw-wiz] Transparent Proxy and IPChains

        ipchains -A output -i $LOCAL_NIC -f -j DENY

        Replace $LOCAL_NIC with your interface, this will drop all packet
fragments after the first, causing the interface to re-submit them and
forcing defragmenting at the interface.


        Michael J. Walter
        mcse mcp+i rhce a+
        Gliatech, Inc.
        23420 Commerce Park Rd.
        Beachwood, Ohio 44122
        Tel: (216) 831-3200
        Email: walterm () gliatech com <mailto:walterm () gliatech com> 


                -----Original Message-----
                From:   Jason L. Esman [SMTP:jesman () edpm com]
                Sent:   Wednesday, April 19, 2000 3:13 PM
                To:     'Ryan Russell'; 'Jason L. Esman'
                Cc:     firewall-wizards () nfr net
                Subject:        RE: [fw-wiz] Transparent Proxy and IPChains

                IP: always defragment is not an option in the kernel
configuration. I am
                using 2.2.14 I've tried this and it still isn't working. I
am now hunting
                through all my rules to see if I missed something. I have
everything else
                listed below right except for the IP: always defragment
                Jason L. Esman


                -----Original Message-----
                From: Ryan Russell [mailto:ryan () securityfocus com]
                Sent: Wednesday, April 19, 2000 1:20 PM
                To: Jason L. Esman
                Cc: firewall-wizards () nfr net
                Subject: Re: [fw-wiz] Transparent Proxy and IPChains


                Pardon me asking the obvious...

                Have you checked out:
                http://squid.nlanr.net/Squid/FAQ/FAQ-17.html#ss17.7

                (Never done it myself.. but i was curious, and went looking.
That's what
                I found.)

                This seems relevent, and I don't think you said if you had
it on:

                "You must include the IP: always defragment, otherwise it
prevents you
                from using the REDIRECT chain."

                And perhaps:

                "Also, Andrew Shipton notes that with 2.0.x kernels you
don't
                need to enable packet forwarding, but with the 2.1.x and
2.2.x kernels
                using ipchains you do. Packet forwarding is enabled with the
following
                command:

                        echo 1 > /proc/sys/net/ipv4/ip_forward"

                Though I suspect if IPChains is working otherwise, this is
already the
                case.

                                                        Ryan

Current thread:

Transparent Proxy and IPChains Jason L. Esman (Apr 18)
- Re: Transparent Proxy and IPChains Ryan Russell (Apr 20)
  - RE: Transparent Proxy and IPChains Jason L. Esman (Apr 20)
    - RE: Transparent Proxy and IPChains Paul D. Robertson (Apr 24)
- <Possible follow-ups>
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)
  - RE: Transparent Proxy and IPChains Jason L. Esman (Apr 26)
- RE: Transparent Proxy and IPChains Michael Walter (Apr 24)