On Mon, Mar 20, 2000 at 06:56:53PM +0100, Giacomo Mulas wrote: > Hello, I administer a packet filtering firewall and I would like > to use SPF on it in order to only allow connections originating from the > inside network to the outside network (the internet at large). Since the > documentation on SPF is very terse, could someone post an example
You bet! > explaining how to configure spf on Debian in order to only allow, say, udp > connection initiated from one side of the firewall and deny any incoming > connection attempts from the other side? Okay, here's a spf-rules file. Note, that this is untested though. -P forward REJECT -A input -j ACCEPT -s <your net> -d 0.0.0.0/0 -p udp -A forward -j ACCEPT -p udp -A forward -j REJECT -l -A input -j REJECT -l This is a very simple setup. As you see you just have to list the arguments to ipchains. That's it. Note, however, that spf creates a new chain named statinpt where all you're input rules will be located. So you cannot specify a policy for input. This should do the following: - set forward policy to REJECT, so there is no forwarding once you shutdown spf - allow input of udp packets from the inside to the internet - forward all udp packets - REJECT every other forwarding - REJECT every other input >From the top of my head this should work. The input rule for packets coming back via udp will be created by spf. > Question 2: since my firewall has to use proxy arp (the only > way to have the brass here accept a firewall was to make it completely > transparent for them, with no reconfiguration of anything in the > inside network) does spf have any special problems with proxy arp? Not that I know of any. Michael -- Michael Meskes | Go SF 49ers! Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire! Tel.: (+49) 2431/72651 | Use Debian GNU/Linux! Email: [email protected] | Use PostgreSQL!
