> -----Original Message-----
> From: David A. Ranch [mailto:[EMAIL PROTECTED]]
> Sent: Monday, January 11, 1999 11:11 PM
> To: Jim Montague; Linux IP Masquarede
> Subject: Re: [masq] port forwarding
>
>
>
> >My ipfwadm rules are:
> >
> > ipfwadm -I -p accept
> > ipfwadm -O -p accept
> > ipfwadm -F -p deny
>
> These are bad defaults. Set your default to deny or reject and then
> explictly ALLOW traffic in.
>
I set these defaults in an effort to prevent filtering while I am getting
port forwarding to work. Once everything works, I plan to clamp things
down.
>
> > ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W
> eth0 -D 0/0 2
> > ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W
> eth1 -D 0/0 2
> > ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0
> > ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0
>
> These are bad too. You need localhost for lots of stuff. Permit
> localhost for internal access.
>
> > ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
> > ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
> > ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
> > ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
> > ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>
> Why the explict denies? Also.. you should deny UDP and TCP. Don't
> disable ICMP! You are doing this via "-P all".
>
The explicit denies were in there when I installed the system, I think when
I said yes to "IP Spoofing Protection".
I extended them to cover the 2nd ethernet card.
> >my ipportfw rules are:
> > ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
> > ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80
>
> These are right.
>
>
> ...Using tcpdump (running on the Linux server), I can see that
> >the packets are getting forwarded through the firewall, but the
> web server
> >doesn't seem to see them.
>
> It sounds like your IPFWADM INPUT or OUTPUT ruleset is filtering
> the traffic. Is that your ENTIRE ruleset above or just a part of
> it?
That is my entire ruleset.
I just tried running with a ruleset of:
ipfwadm -I -p accept
ipfwadm -O -p accept
ipfwadm -F -p accept
ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80
and still couldn't connect.
Thanks!
.... Jim
>
> --David
> .-----------------------------------------------------------------
> -----------.
> | David A. Ranch - Linux/Networking/PC hardware
> [EMAIL PROTECTED] |
> !----
> ----!
> `----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
