[OLUG] Firewall Help

puzzled puzzled at home.com
Sun May 14 21:33:03 UTC 2000


   www.freshmeat.net

  search for 'pmfirewall' and install it

  www.google.com

  search for 'linux ipchains rusty' - should take you to the 50 page docs - read it


  Once you've done these things examine the rules that PMfirewall creates and work from there.
PMfirewall is a pain in the ass if you're protecting a routed internetwork but if all you have is
192.168.10.0/24 it'll provide a nice base configuration.


Jason Ferguson wrote:

> Nope, the Windows machine has a static IP set. eth1 is the inside interface,
> and Im only using 192.168.10.x numbers.
>
> Jason
>
> "W. Mark Hagler" wrote:
>
> > IP Procotol number 17 is UDP.  The Ip address 169.254.205.249 is
> > interesting.. this block of IP number is reserved by the IANA "..for use
> > with Link Local networks" and wouldn't be seen on the Internet.   The
> > other address, 24.3.232.34, is one of the @home DNS servers, and UDP
> > port 53 is the port for DNS lookups.
> >
> > Two questions..  is eth1 your inside or outside interface, and are you
> > using 169.254.0.0 IP numbers anywhere?
> >
> > I vaguely remember something about Windows machines using IP numbers
> > from a reserved block when they failed to obtain a IP number from a DHCP
> > server.  Do you have any Windows machines set to "automatically obtain
> > IP number" on your local network?
> >
> > "Good. Root. What is difference?" wrote:
> > >
> > > Okay, I finally got a decent firewall running, ip masqing and some
> > > protective measures.  However, now my /var/log/messages is growing by
> > > the second... every few minutes or so, I get this line:
> > >
> > > May 14 13:31:00 cx114367-a kernel: Packet log: input REJECT eth1
> > > PROTO=17 169.254.205.249:137 24.3.232.34:53 L=71 S=0x00 I=37387 F=0x0000
> > > T=128 (#5)
> > >
> > > Obviously, Id like to minimize the stuff in my log.
> > >
> > > I've attached my rc.firewall, which I pretty much ripped from the
> > > Stronger IP rulesets section of the masquerading HOWTO. Any help would
> > > be appreciated.
> > >
> > > Jason
> > >
> > >   ------------------------------------------------------------------------
> > > /sbin/depmod -a
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > /sbin/modprobe ip_masq_ftp
> > > /sbin/modprobe ip_masq_irc
> > > /sbin/modprobe ip_masq_raudio
> > >
> > > #extip="24.7.37.34"
> > > #extint="eth0"
> > > #intint="eth1"
> > > #intnet="192.168.10.0/24"
> > >
> > > #export extip extint intint intnet
> > >
> > > /sbin/ipchains -M -S 7200 10 160
> > >
> > > # -------------------------------
> > > # Input policies
> > > # --------------------------------
> > > # First, we set a default policy of REJECT
> > > ipchains -F input
> > > ipchains -P input REJECT
> > >
> > > # Local machines are cool.
> > > ipchains -A input -i eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -j ACCEPT
> > > ipchains -A input -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> > > ipchains -A input -i eth0 -s 0.0.0.0/0 -d 24.7.37.34/32 -j ACCEPT
> > > ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> > > ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> > >
> > > # -------------------------------
> > > # Output policies
> > > # ------------------------------
> > > # First, we once again set the default policy to REJECT
> > >
> > > ipchains -F output
> > > ipchains -P output REJECT
> > >
> > > # Once again, local machines are cool
> > >
> > > ipchains -A output -i eth1 -s 0.0.0.0/0 -d 192.168.10.0/24 -j ACCEPT
> > > ipchains -A output -i eth0 -s 0.0.0.0/0 -d 192.168.10.0/24 -l -j REJECT
> > > ipchains -A output -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> > > ipchains -A output -i eth0 -s 24.7.37.34/32 -d 0.0.0.0/0 -j ACCEPT
> > > ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> > > ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> > >
> > > # -----------------------------------
> > > # Forward (aka Masquerade) policies
> > > # -----------------------------------
> > > # Again, default is deny
> > >
> > > /sbin/ipchains -P forward DENY
> > >
> > > # The local network is cool
> > > /sbin/ipchains -A forward -s 192.168.10.0/24 -j MASQ
> > >
> > > # Non-local network is cool
> > > ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> > >
> > >   ------------------------------------------------------------------------
> > > -------------------------------------------------------------------------
> > > Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> > > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
> >
> > --
> >   Email is packaged by intellectual weight, not volume. Some
> >   settling of contents may have occurred during transmission.
> >
> > -------------------------------------------------------------------------
> > Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
>
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`


-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list