At 11:31 AM 7/31/02 +1000, [EMAIL PROTECTED] wrote:
>Hi all,
>I've got a couple of quick questions (no brainers for the pro's) that I
>need a hand answering, I figured it easier to wait a while to get a list of
>questions that hopefully you can all help me out with...
Actually, this is such a hodgepodge of questions that I doubt you will find
any one person here who can answer them all. So saving them up may not be
the best strategy.
>I'm running eiger static with a "bastardised" (if there is such a word)
>version of the extended scripts.
Eiger-static is pretty old. Eiger's original developer, Matthew Grant, is
long gone from teh LEAF scene (actually, he never was part of LEAF), and
its packager, Charles Steinkuehler, has replaced it with Eigerstein, then
Dachstein. You may have trouble getting *specific* help for this version.
You probably have some long-forgotten security holes as well.
>The LRP box is a proud edition to the network with it quite happily
>chugging along hosting 30 internal PC's, 15 odd servers sitting in the DMZ,
>10M Microwave connection with a class c on the live side of things. It
>truly is amazing what such a simple setup can handle.
>
>Anyway on with the questions..
>
>1. Is there a package out there that can monitor the syslog (or denied
>rules) to maybe send an email out when certain types of packet's get denied
>(hmm not at packet level more like if say there is activity on port 23 of a
>certain IP, that is being denied then send an email)
I'm sure there is not one specifically for Eiger, and I don't know of one
generally. Nor could I find one with a quick search. But negatives here are
never final; perhaps someone else will know of one.
>[skipping items 2 and 3]
>4. If I wish to see all rulset denies etc I gather I have to add -l to all
>my deny firewall rules in ipfilter.conf, is that correct?
Almost correct. You may also have to add general DENY rules at the end of
each chain, IFF the chain has a DENY policy, since the policy decision
cannot be logged, only the actions of specific rules.
>5. How do I deny icmp (ping) on all my external IP's? I know it's in the
>extended scripts but I can't find the rule that denies, all I can find is
>there....
>$IPCH -A input -j DENY -p icmp --icmp-type timestamp-request -l
>$IPCH -A input -j DENY -p icmp --icmp-type timestamp-reply -l
Try this:
$IPCH -A input -j DENY -p icmp -i eth0 -l
(assuming your external interface is eth0). There are other ways to do it
too, but this should work and is the simplest to write.
>6. Ok this one will take a little bit to explain..
>I have a win2k network (2k server, 2k clients etc, on a domain running
>active directory and so on) The firewall is setup to handle the connection
>to the internet, and protect the servers in the DMZ.
>Some of the internal people are running the own ftp server (setup for
>passive mode only) ie the boss ;o), at the moment I have put in some rules
>to manually handle this..
>eg: $IPCH -A input -p tcp -s 10.0.10.30 -d 0/0 13600:13649 -j ACCEPT
> $IPCH -A input -p tcp -s 0/0 13600:13649 -d 10.0.10.30 -j ACCEPT
> $IPMASQADM autofw -A -r tcp 13600 13649 -h 10.0.10.30
>and of course I forwarding port 21 to his machine.
>I wish to be able to run the DHCP server package on my firewall, but how do
>I handle mapping a LIVE ip to the internal DHCP assigned IP. (as in the
>boss's IP might change as DCHP leases expire and renew, how do I write
>rulsets so that I'm mapping the LIVE hardcoded IP to the assign DHCP IP?
This is a tough one. As a general rule, servers should not have
dynamically-assigned addresses. Your best bet is to use the DHCP server to
assign static addresses to the hosts that need this mapping, using the
ability most DHCP servers have (I don't recall what DHCP server
Eiger-static used) to assign IP addresses by MAC address, bootp style.
The EchoWall firewalling package was written to handle this general sort of
problem, but not for arbitrary ranges of ports. And I'm uncertain if it
would run on Eiger. Still, you might look at it and see if you can adapt it
to your needs.
--
-----------------------------------------------"Never tell me the
odds!"--------------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
