Lourdes A Jones
Fri, 12 Feb 1999 13:58:06 -0500
Hello again, Marc Cassuto wrote: > So does that mean I have to write -I rules AND -O rules > for BOTH NIC ??? It means you can write input, output and forward rules. You don't have to write them all. If you do depends on the level of security you need. The default policy (on a clean boot) is accept for all three rules. I always explicitly create the default policy for safety in my rule sets to make sure that what I think will happen does. Many people only write input (stop bad stuff from coming into your system) and forward rules (making the assumption that what you're sending out is safe). You generally only need to write specific rules for an interface that connects to the outside. It is always safest to default to deny or reject for interfaces that connect to outside traffic. The internal NIC can default to being open if your machine is the only machine that connects to the outside. If more than one machine connects to the outside then you should write rules for both NICs. > From Lourdes A. Jones 's Email: > > He help me lot to clarify this previous mechanism. Thank you, for future reference I am a she. :) > So you mean Forward rules are Leaded by the Output ones ? Yes, see below for more explanation. > Can you explicit the way the -F work ? Forward rules apply to packets that begin and end outside your machine. They specify what can pass through your machine. > Can I have the same Forwarded behavior with > the rules -I & -O ? If you want to replace forward with input and output the answer is no. Input rules say what comes into your machine, output rules say what leaves your machine, forward rules say what goes through your machine after it has already gone through the input and output rules. It's an additional step. > >From the french Firewall-HOWTO translated by B. Choppy. > This rule would allow web connection to external Web server. Thank you, I haven't read it, my French does not exist. Just Spanish and English. But the rule is backwards if that was the intent. > I start to be very confused : when do I know > a packet has to be forwarded ? When it begins and ends on a different machine than the one that you are setting up the rules for. Just to clarify: I'm assuming you are setting up rules for a firewall machine +---------+ +----------+ +------------------+ | outside |-----| firewall |-----| internal network | +---------+ +----------+ +------------------+ Rules for outside to firewall are input. Rules for internal network to firewall are input. Rules for firewall to outside are output. Rules for firewall to internal network are output. Rules for outside to internal network are input, output and forward. Rules for internal network to outside are input, output and forward. Forward rules just say if it is ok to send traffic from one side of the firewall to the other (traffic does or does not stop at this machine). You have input and output rules in addition to forward rules because the packet has to go in and out of the firewall machine before it can get to the other side. > Have a nice week-end (in cairo it's friday and saturday!) You too, Lourdes --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]