hi,
I have a powerpc machine of which i just installed debian, (this
machine is the only one with a modem) I have installed the ipmasq
package which seems to do what is required.
however, I have a need to mount a NFS share from another machine in
the private network on the powerpc, this of course requires running
the portmapper, which happily opens up half a dozen different ports,
and ipmasq only protects the internal network, it assumes the
firewall itself is secured by shutting down services etc.
I have been reading various firewall howtos and the ipchains how to
(along with a OpenBSD document) and I found a trick in the OpenBSD
ipfw howto where you can deny all tcp packets with the SYN flag set,
this only denies incoming connections to a ports (someone trying to
telnet in) however i found you cannot block all ports in this way
without breaking ftp, irc and several other things. and only
blocking privileged ports from device ppp0 seems to be causing some
sort of problem when connecting as the kernel starts logging all
kinds of DENY messages, but the rule causing them is the very last
output failsafe that ipmasq creates, not the SYN rejects.
is there any way I can set this up so i can mount nfs shares without
opening all the portmapper crud to the whole world?
what i tried was adding 3 new rules to the very beginning of the input chain
ipchains -I input 1 -p tcp -i ppp0 -d 0.0.0.0/0 53 -j ACCEPT
ipchains -I input 2 -p tcp -i ppp0 -d 0.0.0.0/0 113 -j ACCEPT
ipchains -I input 3 -l -p tcp -y -i ppp0 0.0.0.0/0 :1023 -j REJECT
but as i mentioned i get DENY logs for various ports below 1024 from
IPs which i presume are from my ISP.
any pointers to good books and such on firewalling would be nice too.
TIA
--
Ethan Benson
To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
