Hi,
It is really difficult to reply to your question because you do not
give us enough details of your configuration. For example, what kind of
network are you speaking about ? Does your internal network have a routable
ip pool address ? Are you using non routable addresses ?
For my part, what I have understood is that masquerading must (in most
cases) only be used in one way :
Internet <============> Firewall <============> Localnetwork
10.0.0.1 10.0.0.2 192.168.1.1 192.168.1.2
masquerading in the "Firewall to the world" way.
Otherwise, if you also masquerade the way "Firewall => Localnetwork",
Localnetwork receive packets from the firewall, but never request anything
from this host. It only requires something from a host on the Internet
(source address of the packet). So you should change your
"ipfwadm -F -a m -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0"
into "ipfwadm -F -a m -P tcp -S 192.168.1.0/0 -D 0.0.0.0/0".
Another thing to keep in mind : try to apply your rules to a specific
interface in it is far more secure! You should use a drawing like this one
(I have seem one very nice on a web page, but I do not remember where...):
---------------------------------------
|Firewall |
| |
----------- | (1) ------ (3) (5) ------ (7)|
----------------
| | ==In=> | | =Out=> ==In=> | | =Out=> |
|
|Internet | | |eth0| |eth1| | | LocalNetwork
|
| | <=Out= | | <=In== <=Out= | | <=In== |
|
----------- | (2) ------ (4) (6) ------ (8)|
----------------
| |
| |
---------------------------------------
I did not include the local (loopback, 127.0.0.1) to be clear. But you can
see that there is in this simple configuration 8 places (from (1) to (8))
where you can apply filters...
Regards,
Loic.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
