Re: [masq] Http access

Tue, 15 Dec 1998 21:04:04 -0500 



>The problem is that a have linux redhat 5.0 and ipmasque on it.
>everything works but, people can access my system with http and I don not
>want this.

Your IPFWADM ruleset really isn't that strong.  I would recommend
to impliment a stronger one such as the one found in TrinityOS:
        
        http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html


Anyway, to fix your immeadiate problem, add the following in-line
commands.

        NOTE:  Change the "-W ppp0" text to reflect the interface
                name of your internet connection


>Ipfwadm script.
>
>> # testing firewall stuff and masquerade
>> echo "loading firewall rules"
>> echo "loading firewall rules" >>/var/log/messages
>> #
>> # Flush all comands
>> ipfwadm -F -f
>> ipfwadm -I -f
>> ipfwadm -O -f
>> # By default deny all services
>> ipfwadm -F -p deny
>> ipfwadm -I -p deny
>> ipfwadm -O -p deny
>> # rules to allow
>> #
>> # Rules about Incomming stuff

Add this:

        ipfwadm -I -a deny -W ppp0 -P tcp -S 0.0.0.0/0 80 -o    


>> ipfwadm -I -a deny -V 194.109.102.130  -S 193.1.0.0/24 -D 0.0.0.0/0 -o
>> ipfwadm -I -a accept -V 193.1.0.100 -S 193.1.0.0/24 -D 0.0.0.0/0
>> ipfwadm -I -a accept -V 193.1.0.1 -S 193.1.0.0/24 -D 0.0.0.0/0
>> ipfwadm -I -a accept -V 193.1.0.2 -S 193.1.0.0/24 -D 0.0.0.0/0
>> ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
>> ipfwadm -I -a accept -V 194.109.102.130 -S 0.0.0.0/0 -D 194.109.102.130/32
>> # Rules about Outgoing stuff
>> ipfwadm -O -a deny -V 194.109.102.130 -S 0.0.0.0/0 -D 193.1.0.0/24 -o
>> ipfwadm -O -a deny -V 194.109.102.130 -S 193.1.0.0/23 -D 0.0.0.0/0
>> ipfwadm -O -a accept -V 193.1.0.100 -S 0.0.0.0/0 -D 193.1.0.0/24
>> ipfwadm -O -a accept -V 193.1.0.1 -S 0.0.0.0/0 -D 193.1.0.0/24
>> ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
>> ipfwadm -O -a accept -V 194.109.102.130 -S 194.109.102.130/32 -D 0.0.0.0/0
>> # Rules about Forwarding stuff
>> ipfwadm -F -a accept -m -S 193.1.0.1 -D 0.0.0.0/0
>> ipfwadm -F -a accept -m -S 193.1.0.2 -D 0.0.0.0/0

You DON'T need both of these rules.  Combine them:

        ipfwadm -F -a accept -m -S 193.1.0.0/24 -D 0.0.0.0/0



>> # loging option on the policy
>> ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>> ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>> ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o


.----------------------------------------------------------------------------.
|  David A. Ranch - Linux/Networking/PC hardware         [EMAIL PROTECTED]  |
!----                                                                    ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to