You have run nmap from the DMZ? -----Original Message----- From: irado furioso com tudo [mailto:[EMAIL PROTECTED]] Sent: ter�a-feira, 12 de Fevereiro de 2002 20:17 To: [EMAIL PROTECTED] Subject: stuck with FreeBSD and Ipfilter
>I am stuck with a request from a client. A FreeBSD box, with 3 nic's >appears as: >[internet]----/FreeBSD/------>[lan 192.168.1.2] > ^ > |------>[dmz 192.168.10.2] >dmz receiv (and replies) requests for dns/sendmail/apache either from >internet or from the lan thru the FreeBSD box. What is needed: all and >ANY packet originated from dmz and destinated to lan must be denyied >(drop/reject). The intent is that, even if a bad-boy goes to dmz the >firewall still will refuse connection originated from this (compromised) >box to the internal lan. >I am using ipfilter for this setup. >note: even changing rules a lot, I am unable to do this. Then I just >tryied to 'block everything for that machine': >:=== begin >block in quick from any to 192.168.1.89 >block out quick from any to 192.168.1.89 >block in quick from 192.168.1.89 to any >:=== A simple line as above would do trick, ep0 is the interface from DMZ1 replace with your own: block in log quick on ep0 from any to any As ipfilter is statefull you will need some lines like this for keeping the state of the connection: pass out on ep0 proto tcp from any to any keep state >but nmap (from dmz) still shows open ports 22 and 53 on these machine. >How to effectively BLOCK every packet from dmz to internal lan?? :o( You have run nmap from the DMZ? -- sauda��es, irado furioso com tudo. Linux User (SuSE) 179.402 a f� move montanhas. Mas tratores s�o mais eficientes e exigem menos esf�r�o de 'f�', �sse estranho departamento. Afinal, acreditando ou n�o, o trator manda a montanha embora. J� a f�.. cad� o mapa com o antes e o depois?? _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
