Re: [masq] Limitation problem....

David A. Ranch
Mon, 8 Feb 1999 14:18:28 -0500

Hey marc,

>I 've just configured an Internet Access with the fallowing :
>- linux 2.0.34 box (Slackware 3.5)

Upgrade that kernel to at least 2.0.36.  To be honest, I
would recommend to upgrade to the 2.2.x kernels since it
sounds like its MUCH faster too.  But, be warned, you'll
have to convert to IPCHAINS since IPFWADM support has 
been dropped in the 2.1 and 2.2 kernels.



>If I try to build a strong firewall,
>I can't use all the port limitation that should
>be used with ipfwadm.

This isn't a very strong ruleset.  Check out the
ruleset in the TrinityOS doc and see if it will do
what you need:

http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html


>#/sbin/ipfwadm -F -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0
>1024:65535
>###### BUT THIS DOESN'T WORK !!!
>###### AND THIS EXACTLY THE LINE I FOUND IN THE HOWTO !!!

No... you are specifing FORWARDING here.  That should be:

/sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0
1024:65535

But.. This is kinda messed up if you want this rule to allow
WWW browsing on the Internet.  This rule is saying you are going
to originate port 80 traffic to the Internet.  This isn't
how WWW works unless you are running a WWW server.  Your 
DESTINATION should be port 80 for normal surfing.


>In fact as soon as I try to limit access, all the connexion 
>for the specified Ip is blocked !!!
>And that is the same for any port.
>I can't even use the  -P flag.

Learning firewall rulesets takes a while.  I recommend that
you using the TrinityOS doc as a template and open it up
as you need.  As it stands, its VERY restrictive.  :)

--David
.----------------------------------------------------------------------------.
|  David A. Ranch - Linux/Networking/PC hardware         [EMAIL PROTECTED]  |
!----                                                                    ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Reply via email to