[masq] Seeking advice

Francis GALIEGUE Thu, 24 Sep 1998 17:47:45 -0400
OK, I have tried to set up my own rules with ipfwadm. Those are the ones
I use right now and afaics they work. Now, I'd like to have opinions
from more experimented guys :)

--- firewall.new

#!/bin/bash


PATH=/sbin:/bin:/usr/sbin:/usr/bin
IP=`ifconfig ppp0 | head -2 | tail -1 | cut -f2 -d: | cut -c1-15 | cut
-d' ' -f1`
LOCALNET=10.0.0.0/8
ANYWHERE=0.0.0.0/0

#Forwarding rules, default = deny
ipfwadm -F -f
ipfwadm -F -p deny

# Forward all packets from the internal net, whatever their destination,
and masquerade them
ipfwadm -F -a masquerade -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE

# Is this one any useful?
ipfwadm -F -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE

ipfwadm -F -a deny -S $ANYWHERE -D $ANYWHERE -o

# Incoming packets, default = deny
ipfwadm -I -f
ipfwadm -I -p deny

# Accept all packets arriving at local interface, whatever their
destination
ipfwadm -I -a accept -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE

# Accept all packets arriving at remote interface as long as their
destination is the address of this interface 
ipfwadm -I -a accept -V $IP -S $ANYWHERE -D $IP/32

# loopback interface - same Q as above
ipfwadm -I -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE

ipfwadm -I -a deny -S $ANYWHERE -D $ANYWHERE -o

# Outgoing packets, default = deny
ipfwadm -O -f
ipfwadm -O -p deny

# Accept all packets arriving at the remote interface as long as their
source address is the one of the remote interface itself
ipfwadm -O -a accept -V $IP -S $IP/32 -D $ANYWHERE

# Accept all packets arriving at local interface, whatever their
destination
ipfwadm -O -a accept -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE

#loopback interface, same Q
ipfwadm -O -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE

ipfwadm -O -a deny -S $ANYWHERE -D $ANYWHERE -o

--- end

Now some general questions about I, O and F rules...

I assume that I rules set the way that ipfwadm will behave with incoming
packets, whether they have been routed before or not. O rules set the
behavior for packets being ready to sent, and F rules determine the
route policy between the different interfaces on the machine. Am I
correct, nearly correct, completely wrong, do I need surgery, etc?

-- 
        fg

"Computers are like air conditionners - they stop working properly when
you open Windows"
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
[masq] Seeking advice

Reply via email to
