Good day, all,
On Mon, 21 Dec 1998, David A. Ranch wrote:
> Ambrose and myself (so far) are getting ready for a serious re-work
> of the HOWTO and the MASQ WWW page. I'm asking all of you for ideas,
> comments, etc on what you would like to see added/changed/deleted from
> both the MASQ WWW page and the HOWTO.
My sincere thanks to both of you for your efforts on the howto and
related documentation. The IP masquerading howto was where I got my
start...
> No idea, comment, etc is too small. This is my tentative list in
> no particular order. If you would like to contribute to some of
> the more esoteric areas (GUI firewall tools, DHCPcd, EQL, etc),
> please let us know!
>
> MASQ WWW/HOWTO To-do list : v1
[snip]
> Add a strong IPFWADM ruleset (can use TrinityOS's if we want but
> I need to add the proper -k options)
I had once hoped that I could use some of the flag fields at the
end of the log entries to figure out if -k should be used. Unfortunately,
that information is not logged.
The best logic I could come up with was this: if the protocol is
tcp AND the source port is a server port (i.e., in /etc/services) AND the
source port is not 20 (I chickened out on the direction of ftp-data
connections), the ack flag ("-k") should be set. For ipchains, simply
replace "-k" with "! -y".
> Possibly mention references to some of the GUI IPFWADM tools.
> Mason, DotFile Generator, etc. I also think these should
> be reviewed and rated since many of them are VERY complicated.
> (I also don't think any of them support IPCHAINS yet)
I'd love to see a review of Mason - I'm always looking for
feedback and suggestions on how to improve it. It's nearing the end of a
major rewrite. Since I last wrote in, I've added: support for ipchains (log
input, rule output, and actually executing the command can be ipfwadm or
ipchains - independently!), support for dynamic IP addresses such as slip
or ppp, and generalizing IP addresses to their respective network (while
keeping local IP addresses and broadcast addresses as is). The web page
for Mason includes more details - http://www.pobox.com/~wstearns/mason/ .
Before Mason got the ability to generalize to local network
addresses, I suspect it would have gotten a poor review. The user was
expected to put in quite a bit of effort cleaning up the output manually -
that was time consuming. Now Mason can take a line like
Dec 22 12:15:45 sparrow kernel: Packet log: output - eth0 PROTO=6 \
172.16.0.253:3128 172.16.0.110:1664 L=40 S=0x00 I=24932 F=0x0000 T=64
and return
/sbin/ipchains -A output -i eth0 -p tcp ! -y -s 172.16.0.253/32 squid -d \
172.16.0.0/16 1024:65535 -j ACCEPT # squid/tcp (O)
automatically - it knows to leave 172.16.0.253 alone as it's my IP
address, but give all hosts on the network identical rights. Ipfwadm
rules are just as easy.
The last major tasks I have are some documentation work of my own
and cleaning up a wrapper script that goes around the generated rules.
The Mason code works marvelously well right now; I encourage anyone who'd
like to find out more to go to the web page and take a look.
I'm quite sure I'd fail at being objective in reviewing my own
software :-), but would love to read one if someone's up for writing one.
David - Whether you get a review or not, would you be willing to
put a pointer to the Web site in the IP masquerading page and in the
TrinityOS page? http://www.pobox.com/~wstearns/mason/ is the permanenent
URL for the package.
Thanks again for all your work. Cheers,
- Bill
---------------------------------------------------------------------------
Unix _is_ user friendly. It's just very selective about who its friends
are. And sometimes even best friends have fights.
William Stearns ([EMAIL PROTECTED])
Mason, Buildkernel, and named2hosts are at: http://www.pobox.com/~wstearns
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
