I am stuck with a request from a client. A FreeBSD box, with 3 nic's
appears as:
[internet]----/FreeBSD/------>[lan 192.168.1.2]
^
|------>[dmz 192.168.10.2]
dmz receiv (and replies) requests for dns/sendmail/apache either from
internet or from the lan thru the FreeBSD box. What is needed: all and
ANY packet originated from dmz and destinated to lan must be denyied
(drop/reject). The intent is that, even if a bad-boy goes to dmz the
firewall still will refuse connection originated from this (compromised)
box to the internal lan.
I am using ipfilter for this setup.
note: even changing rules a lot, I am unable to do this. Then I just
tryied to 'block everything for that machine':
:=== begin
block in quick from any to 192.168.1.89
block out quick from any to 192.168.1.89
block in quick from 192.168.1.89 to any
:===
but nmap (from dmz) still shows open ports 22 and 53 on these machine.
How to effectively BLOCK every packet from dmz to internal lan?? :o(
--
sauda��es,
irado furioso com tudo.
Linux User (SuSE) 179.402
a f� move montanhas. Mas tratores s�o mais eficientes e exigem menos
esf�r�o de 'f�', �sse estranho departamento. Afinal, acreditando ou n�o,
o trator manda a montanha embora. J� a f�.. cad� o mapa com o antes e o
depois??
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
