may i ask, where would you put that rule in the right place in firewall.sh?
Eric "Shubes" wrote:
It should work providing you specify the right IP address for your
local network. ;) Make sure that you add the line in the right place
too, before these packets are dropped.
Works for me.
George M. wrote:
Eric;
The reason why I have disabled iptables during installation is
simple, could
not ssh, could not do webmail or client connection from the same subnet.
Another post has pointed to my network vulnerability if somebody
hacks to
my wireless, so I'm converted. If I use your addition to iptables, I
think
that my internal webmail and client should work as well. Am I correct ?
(of course I will try as soon as I can).
>
George
Let me start by agreeing with Ron's and Erik's replies. No disagreement
here. However, let me attempt to be a little more direct to the
question.
First and foremost, the iptables toaster rules not only work behind,
but
are
considerate of a NAT'd router. The only exception I've found to this is
when
trying to ssh in from a local address. I had to add the following to
the
toaster's firewall.sh in order to be able to run a headless toaster
(ssh
in
from a local address):
# shubes 5/16/06 - accept packets from local net
iptables -A INPUT -s 192.168.???.0/255.255.255.0 -j ACCEPT
#
## Drop outside packets with local addresses - anti-spoofing measure
Other than that, the toaster firewall rules work just fine, and
provide an
additional layer (think onion) of security.
That being said, there may very well be some toaster firewall rules
that
never fire because they're redundant with your router's rules. If
you care
to take the time (and risk), feel free to remove them. The question,
though,
is why? Redundancy is not always a bad thing, especially when it
regards
security, and when there's no noticeable difference in performance.
So, do you *need* the additional firewall on the toaster?
Well, not necessarily, but it won't hurt (with the exception noted
above).
Should you *use* the additional fireall on the toaster?
By all means yes. If you have a reason not to, I'd like to hear of it.
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
