Francis GALIEGUE <[EMAIL PROTECTED]> wrote:
>
> I messaged a few days ago about my set of ipfwadm rules... And still had
> no answer...
I had assumed that listmembers were mailing you directly. I was all set
to berate the list for not sharing their thoughts with all the other
listemembers, for everyone to benefit from the wisdom of all.
But instead, I suppose I shall have to berate the list for not sharing
any info. :)
> OK, I have tried to set up my own rules with ipfwadm. Those are the ones
> I use right now and afaics they work. Now, I'd like to have opinions
> from more experimented guys :)
Some folks are more paranoid than I. I have only recently begun to play
around with some of the more restrictive firewall rules. I would be
interested in what others have to say about WHY certain policies might
or might not be desired. I'm the type who wants to know why things are
done, not just given a recipe to follow. :)
> # Forward all packets from the internal net, whatever their destination,
> and masquerade them
> ipfwadm -F -a masquerade -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE
Just curious, why do you use a $LOCALNET variable for your network
address, but hard-code the interface address, 10.0.0.1? Maybe both
should be variables.
> # Is this one any useful?
> ipfwadm -F -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
This doesn't appear to be necessary. Why would a packet be coming in on
the loopback interface, destined for anywhere but the loopback itself?
If you think this traffic is really happening, try changing it to
"deny", with logging ("-o") and see if it ever gets logged.
> # Accept all packets arriving at local interface, whatever their destination
> ipfwadm -I -a accept -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE
Looks good.
> # Accept all packets arriving at remote interface as long as their
> # destination is the address of this interface
> ipfwadm -I -a accept -V $IP -S $ANYWHERE -D $IP/32
Hmm, interesting. Why do you suspect that traffic might come in that
isn't destined for your own machine? I'd turn on logging of any packets
that don't match this rule, to see if it's really happening.
> # loopback interface - same Q as above
> ipfwadm -I -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
At first I didn't think this was necessary, but since you've turned off
input (default policy deny), I suppose it is needed. Though if youw ant
to be paranoid, you should use 127.0.0.1/32 instead of $ANYWHERE.
> ipfwadm -I -a deny -S $ANYWHERE -D $ANYWHERE -o
This is that logging rule to see what's failing to match the filters.
Does it ever log anything?
> # Accept all packets arriving at the remote interface as long as their
> source address is the one of the remote interface itself
> ipfwadm -O -a accept -V $IP -S $IP/32 -D $ANYWHERE
More paranoia, I guess.
> # Accept all packets arriving at local interface, whatever their
> destination
> ipfwadm -O -a accept -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE
Shouldn't packets going out on the eth0 interface be only destined for
the local network?
> #loopback interface, same Q
> ipfwadm -O -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
Your paranoia here is not consistent. :)
> ipfwadm -O -a deny -S $ANYWHERE -D $ANYWHERE -o
Does anything actually get logged by this?
> I assume that I rules set the way that ipfwadm will behave with
> incoming packets, whether they have been routed before or not.
Yes, I believe they are passed through the input filter before being
de-masqueraded, if that's what you mean.
> O rules set the behavior for packets being ready to sent, and F rules
> determine the route policy between the different interfaces on the
> machine.
You're right about output rules, but the filter rules only are invoked
when it has already determined that a packet is going to be forwarded.
This is done by consulting the route table. Once the machine has
determined that the packet will be forwarded, the forward-filter rules
are consulted to determine if the forwarding should proceed, or be
stopped (or masqueraded first).
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
