Feb 10 19:53:31 The-Tardis kernel: IP fw-out deny eth1 ICMP/3 192.168.0.2
208.195.144.25 L=56 S=0x00 I=62255 F=0x T=127
Feb 10 19:53:31 The-Tardis kernel: IP fw-out deny eth1 ICMP/3 192.168.0.2
208.195.144.25 L=56 S=0x00 I=62511 F=0x T=127
I *JUST* posted something along the same lines.
IP fw-fwd deny eth1 TCP ftp-client:1282 198.105.232.1:4284 L=44 S=0x00
I=33050 F=0x0040 T=127
What does your IPFWADM forward line look like?
--David
..
| David A. Ranch - Linux/Networking/PC hardware [EMAIL
As the MASQ box is also my mail and fax server, things have started to get
a little complex. To stop Sendmail from dialing out every time I send an
e-mail to the server, Sendmail is configured as DeliveryMode = defered.
This basically accepts the mail and does nothing until the queue is run
Why, exactly? AFAIK, there are very few services that listen on
ports = 1024. So if you disable those services or block those
specific high ports, what's the harm in letting the rest in by
default?
Well, I'm worried about the big ones. For example:
# PPTP - reject
/sbin/ipfwadm -O -a
I am setting up masquerading on a debian 1.3 box and I need to
figure out the rules I need to add. The linux gateway machine has an
assigned ip (private of 10.0.0.1) and clients will be 10.0.0.2 and .2 and
so forth. What ipfwadm rules do I need to add I was thinking the
following:
Fuzzy Fox wrote:
In normal port-mode FTP, the client asks the server to make a connection
back to it, on a port chosen by the client, in some high-port range.
In passive FTP, the client asks the server for a random port number that
it should make a connection to, and then connects to that
Hey Everyone.. LOTS of updates here and some of them are VERY
important. Please at least scan through this to see whats
new.
-109- users on the list and growing faster and faster!
--David
--
02/11/99Placed short header names in each [Section]
*Sent name. Makes
Jason wrote:
I am setting up masquerading on a debian 1.3 box and I need to
figure out the rules I need to add. The linux gateway machine has an
assigned ip (private of 10.0.0.1) and clients will be
10.0.0.2 and .2 and
so forth. What ipfwadm rules do I need to add I was thinking the
David A. Ranch wrote:
Well, I'm worried about the big ones. For example:
[snip]
# Xwindows - Deny
/sbin/ipfwadm -O -a reject -W $extif -P tcp -S $extip/32 -D
$universe/0 6000 -o
/sbin/ipfwadm -O -a reject -W $extif -P udp -S $extip/32 -D
$universe/0 6000 -o
Shouldn't that be port range
Sean A. Walberg wrote:
On Tue, 9 Feb 1999, Fuzzy Fox wrote:
It appears, from the large number of messages which are related to
networking, but not really masquerade-related, that there
is some sort
of demand for a list which revolves, topic-wise, around the
subject of
networking,
Hello again,
Marc Cassuto wrote:
So does that mean I have to write -I rules AND -O rules
for BOTH NIC ???
It means you can write input, output and forward rules. You don't have to
write them all. If you do depends on the level of security you need.
The default policy (on a clean boot) is
Shouldn't that be port range 6000:6007 for Xwindows?
Well.. yes and no. X starts at port 6000 and works its
way up if 6000 is busy. I haven't seen X get through
when 6000 is blocked. Have you?
I missed the beginning of the conversation but it appears you're looking at
securing high ports,
I found in writing firewall rules, its easier to do a "blanket" deny
policy, (so you get all your bases), then only do "accept" for those
services you want to allow.
Why not a blanket REJECT?
--David
..
| David A.
David A. Ranch wrote:
I found in writing firewall rules, its easier to do a "blanket" deny
policy, (so you get all your bases), then only do "accept" for those
services you want to allow.
Why not a blanket REJECT?
Personal preference, DENY drops the packet, REJECT sends back an ICMP
David A. Ranch wrote:
Feb 10 23:22:59 trinity2 kernel: IP fw-out deny eth0 ICMP/3
192.168.0.1 24.0.75.172 L=106 S=0xD0 I=24193 F=0x T=64
ICMP Masq is a separate kernel configuration option in
2.0.36+ and 2.2.x.
Did you enable it? If you did, did you set up a general
forwarding rule
At 15:48 -0600 2/12/99, Lourdes A Jones wrote:
Yes, I have. When I asked about it on a different list, I was recommended
to block 6000:6007 since then I've never seen a problem. The explanation
was that some (not all) recent Xservers listen on 6000:6007. (I don't
remember which of the
Yes, I have. When I asked about it on a different list, I was recommended
to block 6000:6007 since then I've never seen a problem. The explanation
was that some (not all) recent Xservers listen on 6000:6007. (I don't
remember which of the commercial servers I was trying out at the time.)
If you'd like to ship over (privately) a copy of your rule set I'll try and
see if I can find a conflict.
Its here:
TrinityOS: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
I don't explictly deny ICMP and ICMP MASQ works fine from both the Linux
server and from MASQ'ed
David A. Ranch [EMAIL PROTECTED] wrote:
Not that I'm aware of. There are a lot of Linux newsgroups out there
but I don't frequent them at all.
Many of the types of questions being asked have little to do with Linux
in particular. Many are unix-in-general types of questions. A Linux-
Since you're curious about Linux, try this link:
http://oslab.snu.ac.kr/~djshin/linux/mail-list/
Wow! Excellent Link!
--David
..
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
20 matches
Mail list logo