Re: [Leaf-user] Ipfilter.conf

Thu, 28 Mar 2002 12:22:25 -0800 

> I've running the latest Dachstein release and step by step all I need
> will work.
>
> A question about the ipfilter.conf:
> Am I right that I have to change this file if I want to change firewall
> rules?

Only if what you want can't be done using the supported variables in
network.conf, or customized with the /etc/ipchains.[input|forward|output]
files.

> In the first lines I can read "this is an example script for
> masquerading..."

A comment left over from who knows how long ago...this is no longer an
accurate description of the file :)

> Questions:
> Where can I read what this example script allow to do, and dissalow to
> do?
> Are there probably some "templates" for the following tasks:
>
>                             WAN
>                              |(public IP)
>                       ---------------
>                       | DSL-R (NAT) |
>                       ---------------
>                              |.0.1
>            ------------------------------------------
>                |.0.3                          |.0.2
>           -----------               ---------------------
>           |         |               |                   |
>           |   SRV   |               |        LRP        |
>           |         |               |                   |
>           -----------               ---------------------
>                                      |.1.1    |.2.1    |.3.1
>                                    -----    -----    -----
>
> 1 eth0 connected to an DSL-Router (10.0.0.0/24)
>    -The DSL-Router has the public IP on his WAN-Port
>     an makes NAT for the Net(s) behind
>
> 3 internal ports:
>    -eth1 (10.0.1.0/24)
>    -eth2 (10.0.2.0/24)
>    -eth3 (10.0.3.0/24)
>    All this internal nets should have access to
>    -the internet (DSL-WAN)
>    -the machine called SRV
>    but should not can access another internal net.

This is a fairly straight-forward configuration.  Add each of your internal
networks to the INTERN_NET variable:

INTERN_NET="10.0.1.0/24 10.0.2.0/24 10.0.3.0/24"

The internal nets will *NOT* be able to see each other unless you explicitly
create forwarding rules to allow it (typically in /etc/ipchains.forward).

Since your external IP is in private IP space, you'll also need to comment
the line in ipfitler.conf that blocks external packets from the 10.0.0.0/8
network...this is a FAQ.

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to