Re: [Leaf-devel] Firewall Headaches...

Fri, 23 Feb 2001 05:57:40 -0500 (EST) 

David Douthitt wrote:
> 
> I've been working on the firewall again... it seems that most of the
> headaches are coming from DNS.  I have to allow:
> 
> * DNS lookups:
>    1a. from the firewall to an external server (TCP)
>    1b. from the firewall to an external server (UDP)
>    2a. from the inside net to an external server (TCP)
>    2b. from the inside net to an external server (UDP)
>    3a. from outside to the server on the firewall (TCP)
>    3b. from outside to the server on the firewall (UDP)
> * DNS server responses:
>    1a. from the firewall server to outside (TCP)
>    1b. from the firewall server to outside (UDP)
>    2a. from a server outside the firewall to the firewall (TCP)
>    2b. from a server outside the firewall to the firewall (UDP)
>    3a. from a server outside the firewall to the inside (TCP)
>    3b. from a server outside the firewall to the inside (UDP)
> * DNS server to server communications:
>    1a. from the firewall server to an outside server (TCP)
>    1b. from the firewall server to an outside server (UDP)
> 
> See what I mean about headaches?


Writing my firewall rules took me about a month to write
in a methodical fashion.

Normally I have fewer rules than you list because I let
all the internal traffic into the internal nic, and that
sets me up to only have to let specific traffic in and
out of the external nic, which means either the source or
the destination is always the external IP address.  I forget 
whether you have a slew of public IP's that would make this
irrelevant.

I also have fewer rules because I don't run a dns server 
on the firewall.  

Why do you have rules 2a and 2b if you run a dns server on 
the firewall (shown by rules 3a 3b, DNS Lookups section)?

If you allow in all tcp+ack packets, then you'd have even
fewer rules.  

Once you let in UDP, you've let it in for more than
one instance, but I'm too tired to figure out which ones.

You could probably benefit from charting out what you
want to do in a spreadsheet, while following the Castle
book, which has several good examples similar to your setup.
I say that, because you really only want to write down your
rules once and here you've gone and done it but left out the
ports and IP's.

Matthew

_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-devel

Reply via email to