At 02:34 10.11.2001, you wrote: >Unfortunately, IPCHAINS does not have this capability. This is >known as a "stateful" firewall because it knows about existing >connections. > >The good news is that IPTABLES which is delivered with Redhat 7.1, >7.2 and other linux distributions does have this capability. It >is known as connection tracking. >
Unless I'm totally mistaken, IP MASQ with Iphcains does achieve that in practice. You can't do it to the firewall host itself, but other hosts behind it. IP MASQ a one form of NAT that comes with ipchains. Atleast my firewall has rules that make it possible to iniate connections from hosts behind it, while the firewall host does reject/deny connection attempts iniated outside. Unless I want to open certain ports to firewall host of course. One can also define to IPMASQ which ports/protocols are forwarded from internal network. All this does work from with my humble Debian Potato with kernel 2.2 while using ipchains. Since I'm not a expert with firewalls and I've not really looked IPTABLEs, what benefits moving to IPTABLES gives to person who has above network configuration? Antti >On Fri, Nov 09, 2001 at 11:46:28AM -0500, Sam Mabjish wrote: > > > > Hi, > > I am using Linux IPCHAINS version 1.3.8. > > I am having trouble coming up with rules to DENY > > sessions originating somewhere on the Internet > > outside my network. > > But at the same time, I do NOT want to DENY traffic > > coming back to my network for sessions that originated > > from machines on my network. > > I do not know if this function is available in IPCHAINS. > > Can it be done? > > Can you please help!! > > What syntax should I use? > > Thank you in advance > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
