At 10:39 PM 1/28/99 +0000, Tim Fletcher wrote:
>> I run on the ipmasqed firewall:
>> /sbin/ipchains -D input -j ACCEPT -p tcp -y -s 0.0.0.0/0 20 -d myip
60000:65535
>> and then I can't ls a dir on sunsite
> ^^
>Sorry bad typing day :)
>
I believe he was referring to the machine doing the masq'ing, not the
client's being masq'd...
if you use:
LOCALIP=`ifconfig eth0 | awk '/inet addr/ {print substr($2,6)}'`
ALL="0.0.0.0/0"
LAN=192.168.1.0/24
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -j MASQ -s $LAN -d $ALL
/sbin/ipchains -M -S 7200 10 7200
/sbin/ipchains -A input -p ICMP -s $ALL -d $LOCALIP -j ACCEPT
/sbin/ipchains -A input -i lo -j ACCEPT
/sbin/ipchains -A input -p TCP \! -y -d $ALL 1024: -j ACCEPT
you have to use Passive transfers for the firewall box. Allowing port 20 to
connect to ports above 65000 won't work for the firewall box, but will for
everyone behind it, since the port command will always be going to 65000+
for MASQ'd clients. Of course this would also allow someone to run a
backdoor on ports above 65000 on your firewall box...
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
