Hi Scott,
I got it sussed, and it wasn't that hard..
I went in to pmfirewall, and added,
OUTERNET2=123.123.123.123/255.255.255.0
OUTERNET3="", OUTERNET4 and so on for each IP I wanted to protect.
Then I went into pmfirewall.rules.local and replicated my rules for each
OUTERNET (only needed the "allow" rules as I discovered it denies to all the
virtual IP's by default.
Then for each group of the rules I replicated, I substituted OUTERNET2 or
whatever for OUTERNET, and it worked, I have allowed the rules I wanted, and
denied the rest...
So really, I am now just using pmfirewall as a executable list of rules...
I also have portsentry running in stealth, and whenever I get scanned on a
specific port, if I am not using it, I add a rule to deny it to all IP's
seems to be working great.
Thanks guys for your help and suggestions.
Frank Hauptle
----/ / _
---/ / (_)__ __ ____ __
--/ /__/ / _ \/ // /\ \/ /
-/____/_/_//_/\_,_/ /_/\_\
Gshop & Network Payment Solutions.
-----Original Message-----
From: Scott Patten [mailto:[EMAIL PROTECTED]]
Sent: Sunday, 18 March 2001 4:48 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [expert] PMfirewall or RCF security.
> I have installed pmfirewall onto my box, with problems, (ie doesn't
> support virtual IP's or multiple domains.)
> so unless you go to my static IP, you can access nothing, all the domains
> get cut off.
Can you use name-based virtual hosts? This would eliminate the need for
dummy IPs.
> so my problem, I need to replicate my static IP rules for all the virtual
> IP's of ppp0.
This is actually a bit more complicated than you might think. There are
quite a few rules generated and they're spread across several files. It
would not be too hard if you understand ipchains rules and shell scripting
fairly well but you might as well write your own scripts if that's the case.
Warning. I have not tested this but I have wondered if I could install a
copy of PMfirewall for each set of IPs being firewalled/masqueraded. This
would require me to:
a - manually enter the devices and IPs during the PMfirewall scripts
b - keep the config files in seperate locations
c - run the scripts manually or edit the system V scripts so each
configuration is run
d - maybe edit a rule or two from each configuration if some sort of global
restriction is applied
This is not a pretty solution but it's quick and easy.
> it seems silly that this was not built into pmfirewall from scratch, its
> such a basic thing.
It appears basic but think of the config file explosion that would take
place. Now think of the complexity of the questions that the script would
have to ask. You're talking about an order of magnitude increase in
complexity.
I hope this helps.
Cheers,
Scott Patten
