On Tue, 9 Jul 2002 06:34:32 -0500 "David A. Bandel" <[EMAIL PROTECTED]> wrote:
> On Tue, 9 Jul 2002 02:32:29 -0400 > begin Joel Hammer <[EMAIL PROTECTED]> spewed forth: > > > It has been so long since I set up my firewall I have forgotten why I > > did this, so : > > > > Here are two typical rules from my firewall (ipchains). Note that with > > one, the target ip is 0.0.0.0, and with the other the target is > > 68.36.44.105, which is the ip of the machine running the firewall. > > eth1 is the external NIC facing the cable modem. > > > > target tosa tosx ifname source destination > > ports > > > > ACCEPT udp 0xFF 0x00 eth1 198.82.161.227 0.0.0.0 * -> 123 > > ACCEPT udp 0xFF 0x00 eth1 198.82.162.213 68.36.44.105 * -> 123 > > > > I have used 68.36.44.105 in a number of destinations in my ipchain > > rules instead of 0.0.0.0, as noted above. As far as I can see, these > > rules are equivalent, since my NIC, which is configured as > > 68.36.44.105, will not look at packets not addressed to it, at least > > under ordinary circumstances. > > The above is "your system to Internet on ntp port (123)", the next rule > is"Internet to your system on ntp port". Not quite. The first one your system to Anywhere for NTP. The second rule is another machine to the outside of the firewall on NTP and has no business being there unless your firewall is going to provide NTP to this other machine. > > But I really suggest you start looking at iptables instead of this > dinosaur. > This I totally agree with. If you MUST stick with IPChains, you may consider designating a box to be the NTP server for the inside. Then your rules would look like: udp NTPBOX:123 -> 0.0.0.0:123 udp 0.0.0.0:123 -> NTPBOX:123 Then everyone else should be able to talk to the internal box. But really, what's the point of a firewall if you're not going to use connection-tracking which IPChains doesn't give you? Use IPTables. _______________________________________________ Linux-users mailing list - http://linux-sxs.org/mailman/listinfo/linux-users Subscribe/Unsubscribe info, Archives,and Digests are located at the above URL.
