Firewall Wizards mailing list archives
RE: IPChains and firewall rules
From: Henry Sieff <hsieff () orthodon com>
Date: Fri, 25 Aug 2000 15:57:19 -0500
You are still going to need rules, since IPChains does not implicitly deny traffic from sessions initiated inside to come back. You will want to read Rusty Russel's IPChains Howto (http:\\metalab.unc.edu/pub/linux/docs/HOWTO/IPCHAINS-HOWTO) You may lso want to chek out http://www.linux-firewall-tools.com/ which has a nifty web tool to generate an ipchains script; I wouldn't use the output without understanding it because it'll be hard to make appropriate changes safely if you don't grok ipchains. Essentially, you will need to: 1) enable ip_forwarding 2) set rules to allow ipchains to forward appropriate packets from the inside to the outside 3) set rules to allow the traffic to go in and out of the external interface 4) set rules to allow traffic to go in and out of the internal interface. Anyways, the specific commands depends on what traffic you want to allow and the topology of your network, location of name servers, etc etc etc. Read the above resources, and try on your own (its really the only way to do it right) and if you have specific rules that aren'w working, they can be troubleshot easier.
-----Original Message----- From: Simeon Johnston [mailto:simeonuj () eetc com] Sent: Friday, August 25, 2000 2:47 PM To: Firewall Wizards Subject: [fw-wiz] IPChains and firewall rules I am setting up a firewall for a small company and am wondering what kind of rules to use with ipchains. It is running on a SuperSPARC 10 and will not allow any access through to the internal network. What I am
wondering
specifically is if I need any rules at all. If the default input policy is to deny and I have turned off all open ports to the outside, what use is there in having rules to block nonexistent traffic? I have not really done this before so if I am wrong, please bring me to the Light. There isn't going to be any blocking of internal to external traffic. There will be DHCP for the internal network and IPMasq running of course. What about IP spoofing, any rules that should be added for that? There will be no users logging in from the outside for now ( maybe with SSH later on, but I don't think that will be a problem). Any ideas sim _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
_______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- IPChains and firewall rules Simeon Johnston (Aug 25)
- Re: IPChains and firewall rules Darren Reed (Aug 26)
- Re: IPChains and firewall rules marty (Aug 26)
- <Possible follow-ups>
- RE: IPChains and firewall rules Henry Sieff (Aug 26)