/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ I have a client with a 2.0.x Kernel-based Linux f/w with MASQ. Whoever set it up for him put in the basic rules and has effectively set it up as a router. I need to make it more secure for him and have found much of what I need from the various FAQs, etc., but I'm stuck on one minor problem. He needs to allow anyone to connect via SMTP into a mail server behind the firewall but limit access to port 799 (Remotely Possible), port 21 (FTP) and port 1433 (SQL Server) to a particular class-C address space. Currently his rc.firewall has the following lines: ipfwadm -F -p deny ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 /usr/local/sbin/ipportfw -C /usr/local/sbin/ipportfw -A -t207.102.179.130/21 -R 192.168.0.60/21 /usr/local/sbin/ipportfw -A -t207.102.179.130/25 -R 192.168.0.62/25 /usr/local/sbin/ipportfw -A -t207.102.179.130/799 -R 192.168.0.60/799 /usr/local/sbin/ipportfw -A -t207.102.179.130/1433 -R 192.168.0.60/1433 If I want to limit access to ports 21, 799 and 1433 to say the Class-C address space 209.53.1.0/24 (not the actual address space), how do I set this up using IPPORTFW or IPFWADM? As far as I can tell, IPPORTFW doesn't allow for an input address range. Can I do this with some "-I" rules to IPFWADM? Also, the SQL Server port number of 1433 is in the dynamic range of 1023-65535 (thanks to Microsoft), and I've read that this can end up being accepted because of the way that MASQ works. Any help here would be appreciated. Thanks in advance, Fred D. Brown Technology Consultant Marcom Technologies 337 Rio Drive South Kelowna, BC V1V 2B1 Phone: (250) 868-9352 Fax: (250) 868-9362 Email: [EMAIL PROTECTED] _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
