Marc Cassuto <[EMAIL PROTECTED]> wrote:
>
> > /sbin/ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 80 -D 0.0.0.0/0 1024:65535
> That did not work much more....
You didn't say what you expect it to do, but if your intent is to allow
traffic to reach external web servers, the rule is backwards from what
it needs to be.
The above rule says to accept packets that are FROM one of your local
machines, using a SOURCE port of 80, to any destination on any non-root
port. That sounds good, I guess, but remember that HTTP traffic has a
DESTINATION port of 80, not a SOURCE port of 80. So your rule does not
match the traffic you're trying to accept. The "-b" option does not
help this situation, because it reverses both the source and
destionation addresses, as well as the port numbers. Try this:
ipfwadm -I -a accept -b -P tcp -S 192.168.0.7/32 1024:65535 -D 0.0.0.0/0 80
This allows incoming packets from any source port on your local network,
to any destination as long as the destionation port is 80. The "-b"
option also permits replies coming back in the opposite direction (i.e.
source port is 80, reply to the original sending port).
You must think in terms of sources and destionation IP addresses and
ports in order for this stuff to become clear. It takes time, but it's
not all that complicated when you think about it. :)
> Hummmm... Where I can find a doc about the difference between the
> different list, and in particular -F -I and -O.
I don't recall the web site that has a picture diagram showing the
relationship, but it's basically this:
Any incoming packet is passed through the INPUT ruleset.
Any packet that matches the ROUTE table will be forwarded.
If the packet is to be forwarded, it is passed through the
FORWARD ruleset.
Any outgoing packet is passed through the OUTPUT ruleset.
>From the above, you can see that a packet which is being forwarded
through your masq box will be passed by all three rulesets: Through
INPUT when it comes in, through FORWARD when it gets forwarded, and
through OUTPUT when it goes out.
As for typical uses of these:
The INPUT ruleset is normally used to stop traffic from flowing in a
certain direction. It works best because it is the first rule invoked,
so it will easily filter out traffic that you don't want.
The FORWARD ruleset is normally used to enable masquerading. You will
always want this to operate in only one direction (i.e. masquerade
internal traffic, heading towards the outside network. Never in the
other direction).
The OUTPUT ruleset is hardly ever used, beyond simply rejecting traffic
that your box might generate incorrectly. Mostly as a safeguard
(i.e. sending out packets to the external net which have internal IP
addresses). If you have set up your other rules and route tables
correctly, these output rules will never trigger. :)
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
