[OLUG] Firewall Help
Jason Ferguson
jferguson3 at home.com
Sun May 14 20:04:07 UTC 2000
Nope, the Windows machine has a static IP set. eth1 is the inside interface,
and Im only using 192.168.10.x numbers.
Jason
"W. Mark Hagler" wrote:
> IP Procotol number 17 is UDP. The Ip address 169.254.205.249 is
> interesting.. this block of IP number is reserved by the IANA "..for use
> with Link Local networks" and wouldn't be seen on the Internet. The
> other address, 24.3.232.34, is one of the @home DNS servers, and UDP
> port 53 is the port for DNS lookups.
>
> Two questions.. is eth1 your inside or outside interface, and are you
> using 169.254.0.0 IP numbers anywhere?
>
> I vaguely remember something about Windows machines using IP numbers
> from a reserved block when they failed to obtain a IP number from a DHCP
> server. Do you have any Windows machines set to "automatically obtain
> IP number" on your local network?
>
> "Good. Root. What is difference?" wrote:
> >
> > Okay, I finally got a decent firewall running, ip masqing and some
> > protective measures. However, now my /var/log/messages is growing by
> > the second... every few minutes or so, I get this line:
> >
> > May 14 13:31:00 cx114367-a kernel: Packet log: input REJECT eth1
> > PROTO=17 169.254.205.249:137 24.3.232.34:53 L=71 S=0x00 I=37387 F=0x0000
> > T=128 (#5)
> >
> > Obviously, Id like to minimize the stuff in my log.
> >
> > I've attached my rc.firewall, which I pretty much ripped from the
> > Stronger IP rulesets section of the masquerading HOWTO. Any help would
> > be appreciated.
> >
> > Jason
> >
> > ------------------------------------------------------------------------
> > /sbin/depmod -a
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > /sbin/modprobe ip_masq_ftp
> > /sbin/modprobe ip_masq_irc
> > /sbin/modprobe ip_masq_raudio
> >
> > #extip="24.7.37.34"
> > #extint="eth0"
> > #intint="eth1"
> > #intnet="192.168.10.0/24"
> >
> > #export extip extint intint intnet
> >
> > /sbin/ipchains -M -S 7200 10 160
> >
> > # -------------------------------
> > # Input policies
> > # --------------------------------
> > # First, we set a default policy of REJECT
> > ipchains -F input
> > ipchains -P input REJECT
> >
> > # Local machines are cool.
> > ipchains -A input -i eth1 -s 192.168.10.0/24 -d 0.0.0.0/0 -j ACCEPT
> > ipchains -A input -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> > ipchains -A input -i eth0 -s 0.0.0.0/0 -d 24.7.37.34/32 -j ACCEPT
> > ipchains -A input -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> > ipchains -A input -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> >
> > # -------------------------------
> > # Output policies
> > # ------------------------------
> > # First, we once again set the default policy to REJECT
> >
> > ipchains -F output
> > ipchains -P output REJECT
> >
> > # Once again, local machines are cool
> >
> > ipchains -A output -i eth1 -s 0.0.0.0/0 -d 192.168.10.0/24 -j ACCEPT
> > ipchains -A output -i eth0 -s 0.0.0.0/0 -d 192.168.10.0/24 -l -j REJECT
> > ipchains -A output -i eth0 -s 192.168.10.0/24 -d 0.0.0.0/0 -l -j REJECT
> > ipchains -A output -i eth0 -s 24.7.37.34/32 -d 0.0.0.0/0 -j ACCEPT
> > ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
> > ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> >
> > # -----------------------------------
> > # Forward (aka Masquerade) policies
> > # -----------------------------------
> > # Again, default is deny
> >
> > /sbin/ipchains -P forward DENY
> >
> > # The local network is cool
> > /sbin/ipchains -A forward -s 192.168.10.0/24 -j MASQ
> >
> > # Non-local network is cool
> > ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 -l -j REJECT
> >
> > ------------------------------------------------------------------------
> > -------------------------------------------------------------------------
> > Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
> > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
>
> --
> Email is packaged by intellectual weight, not volume. Some
> settling of contents may have occurred during transmission.
>
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
More information about the OLUG
mailing list