/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Stuart Norman wrote:
> There are a few things that are unclear in all the documentation on
> firewalling and masquerading that if they had been stated clearly I would
> have had my network up and running a lot sooner and without the headaches.
>
> First, if your external interface is ppp, then you must not start the
> firewall/masqueing on bootup or before the ppp interface is initialized. The
> the only way that the firewall can get the correct dynamic IP address is
> after it has been assigned. The firewall rules are static, and if it cannot
> find the interface when initialized, it will not find it later.
this is dangerous advice. the correct time to start the firewall is once,
before the relevant interface(s) is up and once again, after the interface
is up. the first time (since you don't have an address yet), use 0/0 to
refer to the external interface. after the interface is up, you can use
it's real dynamic ip address.
if you don't do this, there is a race condition between the time that the
interface is brought up and the time that the firewall is up and running.
in between these two times, if you have no firewall, then there is a window
of opportunity in which an attacker can get packets in. there probably won't
be enough time for them to do anything more sophisticated than crashing your
system but that's bad enough.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
