At 09:27 PM 10/25/2002 -0400, Weirong Zhu wrote:
pfilter classifies interfaces two ways:I set =================================================== INTERNAL eth1 # inside network interface FILTERED eth0 # outsideopen tcp ssh ===================================================
FILTERED or UNFILTERED
(any connection is allowed from UNFILTERED interfaces)
PROTECTED or UNPROTECTED
(PROTECTED interfaces get their outgoing connections Network Address Translated)
Depending on which version of pfilter you have, setting an interface as
INTERNAL may set the
Setting an interface as INTERNAL will always set it as PROTECTED.
But INTERNAL interfaces, depending on which version of pfilter is being
used may be set as FILTERED or UNFILTERED.
I would advise using something like this:
PROTECTED eth1 # inside network gets NAT style packet forwarding
UNFILTERED eth1 # inside network is allowed any connection to this machine
UNPROTECTED eth0 # outside network is not NATTED
FILTERED eth0 # outside network connections not allowed by default
open ssh # allow ssh connection to this machine from anywhere
nologging # don't fill syslog up with packet rejection notices
or better yet, something like what OSCAR installs:
# define the main OSCAR server
%define oscar_server ia32.ncsa.uiuc.edu
# define the OSCAR compute nodes (this is updated when
# compute nodes are added or taken away)
%define nodes ia32c1 ia32c2 ia32c3 ia32c4
# We don't want future pfilter updates to merge commented out
# new types of configuration directives when pfilter is upgraded.
nomerge
# We don't trust anyone anywhere on any interface by default
untrusted interfaces all
# We don't want to fill up system log files with packet
# rejection messages
nologging
# Be nice and reject, rather than drop, unwanted packets
reject
# the server gets ssh and http opened up
open tcp ssh http https
# the server needs to be listed as a dhcp server for the nodes
# because opening up that service requires opening up some
# broadcast stuff as well, so simply listing the nodes as
# trusted is not sufficient
open dhcp on eth1
# the server trusts itself and every compute node
trusted %oscar_server% %nodes%
open multicast # for ganglia
I found after pfilter start all packages are filtered out, except SSH. >From outside, other machines can not ping me, can not telnet, that's just what I want. However from inside, I also can not go outside, for example, I can not telnet to a outside telnet server. More important, I can not get NIS server's response, can not get NFS server's response. It closed all my network connection except SSH. That's not what I want. Has anybody met the same problem? Would you like to tell me how to properly configure the pfilter. Thanks a lot! ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
