Re: [masq] port forwarding

David A. Ranch Tue, 12 Jan 1999 19:19:18 -0500

>> >    ipfwadm -I -p accept
>> >    ipfwadm -O -p accept
>> >    ipfwadm -F -p deny
>>
>> These are bad defaults.  Set your default to deny or reject and then
>> explictly ALLOW traffic in.
>>
>I set these defaults in an effort to prevent filtering while I am getting
>port forwarding to work.  Once everything works, I plan to clamp things
>down.

Ok.. fair enough.



>> >    ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
>> >    ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
>> >    ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
>> >    ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
>> >    ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>>
>> Why the explict denies?  Also.. you should deny UDP and TCP.  Don't
>> disable ICMP!  You are doing this via "-P all".
>>
>The explicit denies were in there when I installed the system, I think when
>I said yes to "IP Spoofing Protection".
>I extended them to cover the 2nd ethernet card.

What Linux distrobution prompted you for this?  Having an option
like this would be great but these are NOT filters for spoofing.
If you want to see an example of anti-spoofing filters, etc, 
look at the TrinityOS IPFWADM ruleset.



>That is my entire ruleset.
>
>I just tried running with a ruleset of:
>       ipfwadm -I -p accept
>       ipfwadm -O -p accept
>       ipfwadm -F -p accept
>       ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
>       ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
>       ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80

Ok.. if you enter in each rule at the command line, do you
get any errors?

What does a "ipportfw -L" say?

--David
.----------------------------------------------------------------------------.
|  David A. Ranch - Linux/Networking/PC hardware         [EMAIL PROTECTED]  |
!----                                                                    ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] port forwarding

Reply via email to
