Re: [masq] port forwarding

Jim Montague Wed, 13 Jan 1999 01:54:25 -0500

Problem solved.  I had the default gateway screwed up on the machine that
was being forwarded to, so it didn't know how to reply.....

Now I'm off to look at the TrinityOS IPFWADM ruleset to make my firewall
secure.

Thanks for the help and sorry for asking for help too soon.

Somewhat redfaced,
  ....  Jim Montague

> -----Original Message-----
> From: David A. Ranch [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 12, 1999 1:15 PM
> To: Jim Montague; Linux IP Masquarede
> Subject: RE: [masq] port forwarding
>
>
>
> >> >  ipfwadm -I -p accept
> >> >  ipfwadm -O -p accept
> >> >  ipfwadm -F -p deny
> >>
> >> These are bad defaults.  Set your default to deny or reject and then
> >> explictly ALLOW traffic in.
> >>
> >I set these defaults in an effort to prevent filtering while I am getting
> >port forwarding to work.  Once everything works, I plan to clamp things
> >down.
>
> Ok.. fair enough.
>
>
>
> >> >  ipfwadm -I -d deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0 2
> >> >  ipfwadm -I -d deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0 2
> >> >  ipfwadm -I -a deny -o -P all -S 206.63.241.175 -W eth0 -D 0/0
> >> >  ipfwadm -I -a deny -o -P all -S 192.168.0.200 -W eth1 -D 0/0
> >> >  ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
> >>
> >> Why the explict denies?  Also.. you should deny UDP and TCP.  Don't
> >> disable ICMP!  You are doing this via "-P all".
> >>
> >The explicit denies were in there when I installed the system, I
> think when
> >I said yes to "IP Spoofing Protection".
> >I extended them to cover the 2nd ethernet card.
>
> What Linux distrobution prompted you for this?  Having an option
> like this would be great but these are NOT filters for spoofing.
> If you want to see an example of anti-spoofing filters, etc,
> look at the TrinityOS IPFWADM ruleset.
>
>
>
> >That is my entire ruleset.
> >
> >I just tried running with a ruleset of:
> >     ipfwadm -I -p accept
> >     ipfwadm -O -p accept
> >     ipfwadm -F -p accept
> >     ipfwadm -F -a masquerade -S 192.168.0.0/24 -D 0/0
> >     ipportfw -A -u206.63.251.175/80 -R 192.168.0.100/80
> >     ipportfw -A -t206.63.251.175/80 -R 192.168.0.100/80
>
> Ok.. if you enter in each rule at the command line, do you
> get any errors?
>
> What does a "ipportfw -L" say?
>
> --David
> .-----------------------------------------------------------------
> -----------.
> |  David A. Ranch - Linux/Networking/PC hardware
> [EMAIL PROTECTED]  |
> !----
>        ----!
> `----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] port forwarding

Reply via email to
