Firewall Wizards mailing list archives
Re: building a firewall using Mason
From: William Stearns <wstearns () pobox com>
Date: Tue, 7 Mar 2000 15:02:01 -0500 (EST)
Good afternoon, Chris and Bob, On Tue, 7 Mar 2000, Chris Brenton wrote:
Bob posted the message below to the Firewall-Wizards mailing list. Not sure if you monitor this list or now. Thought the problem below was
Belatedly - many thanks for the nudge.
Air Traffic Engineers wrote:I am currently building a firewall using the Mason package. This has an auto learn facility and seems to work fine. It has built a firewall which allows our internal Apache server to provide proxy based internet access for all on our internal network. The firewall is a standard "dual homed" set-up with 2 nics, one to our ISP's router, and one to our internal network. The problem I have is that incoming www connections are being refused and blocked by the firewall. I need obviously to be able to overcome this problem. I suspect that the difficulties lie in the fact that I have no base rule in the Mason configuration to allow for any incoming traffic, it cant therefore learn this procedure and write the rules. There was a
Port forwarding is an exception to Mason's usual method of "listen for it, then create a matching rule". You have to manually specify the combinations of ports you want forwarded to a machine behind the firewall.
default base rule to allow for masquerading out, which merely needed our IP address range entering to allow the learning process for the creation of the outgoing rules. What I need is some help with a rule to allow all incoming www traffic to be forwarded to the IP address of our Apache server. I do not have an understanding of ipchains and the principles of writing this code myself, nor do I wish to have to learn it!.
<shameless Mason plug> You shouldn't have to! </plug>
I am just trying to set-up a one of firewall that works!
Allowing incoming connections to masqueraded IPs (which are generally rfc1918 addresses) behind your firewall requires the use of Linux' port forwarding. More information on this tool can be found at http://ipmasq.cjb.net and the ip masquerade mailing list (info at cjb). The section on port forwarding is at (reachable from cjb): http://members.home.net/ipmasq/ipmasq-HOWTO-1.82-6.html#ss6.8 The example from that page takes all requests that arrive on port 80 of your external IP address and sends them back to port 80 of the private IP'd web server (192.168.0.10): /usr/local/sbin/ipportfw -C /usr/local/sbin/ipportfw -A -t$extip/80 -R 192.168.0.10/80
Any help appreciated, please e-mail if you can help!
My skills in port forwarding are limited, but please feel free to write me or the IP-masquerading mailing list if more information is needed. Either way, let us know how it went. Cheers, - Bill --------------------------------------------------------------------------- Windows NT: n. 32-bit extensions and a graphical shell for a 16-bit patch to an 8-bit operating system originally coded for a 4-bit microprocessor, written by a 2-bit company that can't stand for 1 bit of competition. (Courtesy of Michael Neuffer <neuffer () trudi zdv Uni-Mainz DE>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ --------------------------------------------------------------------------
Current thread:
- building a firewall using Mason Air Traffic Engineers (Mar 06)
- <Possible follow-ups>
- Re: building a firewall using Mason William Stearns (Mar 12)