Fuzzy Fox wrote:
>
> Francis GALIEGUE <[EMAIL PROTECTED]> wrote:
> >
> > I messaged a few days ago about my set of ipfwadm rules... And still had
> > no answer...
>
> I had assumed that listmembers were mailing you directly. I was all set
> to berate the list for not sharing their thoughts with all the other
> listemembers, for everyone to benefit from the wisdom of all.
As did I.
I built my ruleset starting with the documentation at
http://rlz.ne.mediaone.net.
I found the documentation thorough and the ruleset reasonably paranoid,
like myself.
> > # Forward all packets from the internal net, whatever their destination,
> > and masquerade them
> > ipfwadm -F -a masquerade -V 10.0.0.1 -S $LOCALNET -D $ANYWHERE
>
> Just curious, why do you use a $LOCALNET variable for your network
> address, but hard-code the interface address, 10.0.0.1? Maybe both
> should be variables.
Good point. But make sure you preceed this one (remember order IS
important) with a rule that says anything coming from the Big Bad Net
from 10.0.0.1, 192.168.*, or 172.16.16.* gets denied.
> > # Is this one any useful?
> > ipfwadm -F -a accept -V 127.0.0.1 -S $ANYWHERE -D $ANYWHERE
>
> This doesn't appear to be necessary. Why would a packet be coming in on
> the loopback interface, destined for anywhere but the loopback itself?
On my machine (my linux box is both web/ftp server and firewall), I
can't resolve http://kramer.ne.mediaone.net (itself) for some reason, so
I have to use http://localhost instead. I don't know if it's a DNS
thing or my ipfwadm rules are too restrictive. So I have rules for
"localhost can talk to internal net" and "internal net can talk to
localhost".
> If you think this traffic is really happening, try changing it to
> "deny", with logging ("-o") and see if it ever gets logged.
Very good tip. I'll add that you'll find the logging of the denied
packets in /var/adm/messages on RedHat 5.1.
> > # Accept all packets arriving at remote interface as long as their
> > # destination is the address of this interface
> > ipfwadm -I -a accept -V $IP -S $ANYWHERE -D $IP/32
>
> Hmm, interesting. Why do you suspect that traffic might come in that
> isn't destined for your own machine? I'd turn on logging of any packets
> that don't match this rule, to see if it's really happening.
Never thought of it. I don't know what the performance penalty is for
having rules that never get used, but there must be some.
In RLZ's ruleset, he often uses the -W option to specify a specific
interface (eth0 or eth1) to make sure that someone doesn't try to send
me packets to a 192.168.* through my external interface. It seems to me
that this is also worthwhile.
Good luck.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
