Limit number of Firewalling Rules

Hi all, is there any limit number of firewall rules to mantain a good networking performance? I'm running kernel 2.2.16 in a K6-300 Mhz in a 100Mbit network, and this computer only does rounting and firewalling. Maybe there's an equation that gives an idea of it. Thanks all in advanc

Re: Firewalling...

I think you could pick an ip to which all requests to your ip range are routed. then set up your firewall machine to have two ips one for the internal network and one for the ip that receives all your requests. set up ip masquerading and then use a different subnet mask for the internal ip set the

Firewalling...

Hi everybody. I would like some advice from your own experience which might be of help with the situation I have. I would like to firewall protect our internal network. The topology is quite simple. There are about 30 servers/workstations interconnected with 2 cascaded switches. One port of a

Firewalling (ipchains) and net-meeting

Hi Guys, I am setting up a fire-wall solution with linux at work and I wonder if anyone has had some experience with net-meeting and it's fire-walling rules in ipchains. I seem to remember that there was some difficulty in just allowing a port/tcp though a firewall built with ipchains, and that

Re: Firewalling & Routing

Sebastian Faerber wrote: > i need to setup a linux box which acts as a firewall. > Here's a little diagramm to show you how it should work. > The LinuxFirewall has 2 NICs installed, one is connected to a hub, the other > one directly to the router : > > Clients <--> HUB <--> LinuxFirewall <

Firewalling & Routing

Hi there, i need to setup a linux box which acts as a firewall. Here's a little diagramm to show you how it should work. The LinuxFirewall has 2 NICs installed, one is connected to a hub, the other one directly to the router : Clients <--> HUB <--> LinuxFirewall <-> CiscoRouter <--->Inte

Re: Firewalling and MASQ

"Stephen L. Favor" wrote: > > > > The question arises, why would you not want your router to talk to > > > the outside world (if, indeed, I understand your question > > I've been studying hacker tactics for a year of so, which is quite > fun. Anyway, most attacks gain root access by compromisin

Re: Firewalling and MASQ

DEMERRE DIETER wrote: > -BEGIN PGP SIGNED MESSAGE- > > "Matthew Vanecek" wrote: > > > > > ipchains -A output -j DENY -p tcp -y -s > > > > > > to block connects from the router as it will also block > > connects from MASQed > > > hosts. > ... > > Have you tried

RE: Firewalling and MASQ

-BEGIN PGP SIGNED MESSAGE- "Matthew Vanecek" wrote: > > "Stephen L. Favor" wrote: > > > > performing MASQ for the internal network. Right now, I > have to leave the > > MASQ port interval open so that it will work and there is > no way to detect if > > an in

Re: Firewalling and MASQ

"Stephen L. Favor" wrote: > > Eric Kluft wrote: > > > You'll agree with me that it's extremely hard to attack a client behind a > > masqing server. Extra deny policies or programs are really unnecessary. > > I completely agree. If you'll read my posting again carefully, you will find > that I

Re: Firewalling and MASQ

MASQed by the forward chain. > Eric. > > -Original Message- > From: Stephen L. Favor [mailto:[EMAIL PROTECTED]] > Sent: Thursday, December 09, 1999 8:34 PM > To: Glynn Clements > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Firewalling and MASQ > >

RE: Firewalling and MASQ

Sent: Thursday, December 09, 1999 8:34 PM To: Glynn Clements Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Firewalling and MASQ Glynn Clements wrote: > Stephen L. Favor wrote: > > > I would like to configure a box to forward only TCP and > > UDP packets associated with

Re: Firewalling and MASQ

Glynn Clements wrote: > Stephen L. Favor wrote: > > > I would like to configure a box to forward only TCP and > > UDP packets associated with a MASQ session and I can't quite > > figure out a way to do it. I can open 61000:65096 to the world > > and MASQ works fine, but I would prefer only let t

Re: Firewalling and MASQ

Stephen L. Favor wrote: > I would like to configure a box to forward only TCP and > UDP packets associated with a MASQ session and I can't quite > figure out a way to do it. I can open 61000:65096 to the world > and MASQ works fine, but I would prefer only let the ports with > active sessions t

Firewalling and MASQ

I would like to configure a box to forward only TCP and UDP packets associated with a MASQ session and I can't quite figure out a way to do it. I can open 61000:65096 to the world and MASQ works fine, but I would prefer only let the ports with active sessions through the firewall. Can anyone tel

Ipchains and firewalling

Hi all, thanks for your answers and help, the firewall is in place and allows all necessary traffic. There might just still be something I forgot to mention : the linux box firewalling the internal network is also a web server (for the outside) and keeps sending its own Apache messages to

Re: ICMP firewalling question ...

Nicholas J. Leon wrote: > So I finally decided to block various icmp's coming into my system. I'm > aware of what to block and what not, but I do have a question. > > Considering a network like: > > | machine 1 > ---[ppp]--- ---[hub]---| ma

ICMP firewalling question ...

So I finally decided to block various icmp's coming into my system. I'm aware of what to block and what not, but I do have a question. Considering a network like: | machine 1 ---[ppp]--- ---[hub]---| machine 2

Re: username based firewalling.

On Tue, 2 Mar 1999, Normando Marcolongo wrote: # Hi all! # My problem is to prevent some users, on my linux box, by accessing # internet, excluding some hosts/networks. # e.g. user 'root' and 'normando' will reach every part of the net, # all others will reach only specified subnets lik

username based firewalling.

Hi all! My problem is to prevent some users, on my linux box, by accessing internet, excluding some hosts/networks. e.g. user 'root' and 'normando' will reach every part of the net, all others will reach only specified subnets like 151.100.0.0 and other specified ho

Re: Firewalling Incoming Mail

>I think this question been answer before but i have forgoten the answer. >Can anybody help me again in this again? > >How to place / configure a internal DNS. The information in the internal >DNS have to put the internal information or exteranl information? For >example my internal network is 10.

Re: ICMP+Firewalling and ...

[EMAIL PROTECTED] wrote: > I have some questions about ICMP and firewalling ... > > I read a old mail in which Glynn recommended to allow forwarding IMCP service 3 > at least... The term is `type 3'. I'm fairly sure that I wouldn't have referred to it as `service 3

Re: ICMP+Firewalling and ...CHEERS ALL

On 03-Dec-98 Donald Becker wrote: > On Thu, 3 Dec 1998 [EMAIL PROTECTED] wrote: > >> 3. On the firewall, when evreything is wrong i see : >> transmit timeout status 0d >> transmit timeout status 0d >> transmit timeout status 0d >> >> >> What is it and what can i do but reboo

Re: ICMP+Firewalling and ...

On Thu, 3 Dec 1998 [EMAIL PROTECTED] wrote: > 3. On the firewall, when evreything is wrong i see : > transmit timeout status 0d > transmit timeout status 0d > transmit timeout status 0d > > > What is it and what can i do but reboot ? This is a device driver watchdog timer cl

ICMP+Firewalling and ...

Hello all ... I have some questions about ICMP and firewalling ... I read a old mail in which Glynn recommended to allow forwarding IMCP service 3 at least... 1. The main question is WHY ? and WHICH ones ? 2.I take my network book ... There are 2 things .. the type and the code : 2 first bytes

Re: Firewalling Citrix servers?

dreamwvr wrote: > > hi Steven, > it has been some time since i analyzed Citrix Winframe > servers sec concerns. But since i can't seem to find the details > i had put away this will have to do... Be afraid ...be very afraid:( > enough said. WinFrame is based on Nt 3.51, it's just as sec

Re: Firewalling Citrix servers?

hi Steven, it has been some time since i analyzed Citrix Winframe servers sec concerns. But since i can't seem to find the details i had put away this will have to do... Be afraid ...be very afraid:( enough said. Regards,

Firewalling Citrix servers?

This is more of a general question. Has anyone here worked with Citrix Metaframe servers (Remote desktop servers). At first glance these things look _very_ insecure. I have a department that wants to use this and let it have access to an internal database (as well as external web access for cli

RE: Firewalling question [technique really]

Neil Moore-Smith wrote: > > Now, the problem I see is that suddenly, ANY udp port locally is now > > accessable as long as it originates from port 53 on the outside. This is a > > massive security hole as far as I'm concerned. > > > > What can be done about this? Suggestions? Comments? ... Glynn

RE: Firewalling question [technique really]

On Tuesday, October 20, 1998 10:51 PM, Nicholas J. Leon [SMTP:[EMAIL PROTECTED]] wrote: > > Now, the problem I see is that suddenly, ANY udp port locally is now > accessable as long as it originates from port 53 on the outside. This is a > massive security hole as far as I'm concerned. > > Wha

Re: Firewalling question [technique really]

Nicholas J. Leon wrote: > Ok, so recently Glynn made a comment about using the -b switch in ipfwadm > (which also applies to ipchains). So, with an open mind I reviewed my > firewall rules. > > And I noticed something :). Consider this example: > > ipchains -A input -j ACCEPT -i ppp+ -s 0/0 do

Re: Firewalling question [technique really]

On Tue, 20 Oct 1998, Nicholas J. Leon wrote: > Ok, so recently Glynn made a comment about using the -b switch in ipfwadm > (which also applies to ipchains). So, with an open mind I reviewed my > firewall rules. > > And I noticed something :). Consider this example: > > ipchains -A input -j ACCE

Firewalling question [technique really]

Ok, so recently Glynn made a comment about using the -b switch in ipfwadm (which also applies to ipchains). So, with an open mind I reviewed my firewall rules. And I noticed something :). Consider this example: ipchains -A input -j ACCEPT -i ppp+ -s 0/0 domain -p udp My philosophy behind this

Re: Firewalling again (DNS and SMTP)

[EMAIL PROTECTED] wrote: > I followed your advice for DNS and firewalling but it didn't work ... i had to > add (after the first arrow) : > > # Par default, interdiction de tout les services > /sbin/ipfwadm -F -p deny Hint: try replacing `deny' with `reject'

Firewalling again (DNS and SMTP)

Hello all again ... I followed your advice for DNS and firewalling but it didn't work ... i had to add (after the first arrow) : # Par default, interdiction de tout les services /sbin/ipfwadm -F -p deny /sbin/ipfwadm -O -p accept /sbin/ipfwadm -I -p accept # Vider les regles de traces

Re: Firewalling and DNS (for the moment ...)

Hi [EMAIL PROTECTED], you wrote: > First DNS. > I read Firewall HOWTO to set rules for ipfwadm and i deny everything for F,I > and O. As you deny incoming and outgoing too it is not sufficient to set forwaring rules to enable DNS traffic. Before the packets are filtered by the forwarding rules t

Firewalling and DNS (for the moment ...)

Hello all, I try to set up firewall on my public network. First DNS. I read Firewall HOWTO to set rules for ipfwadm and i deny everything for F,I and O. In my rules as HOWTO says i did like this for my 2 public DNS servers (195.115.167.5 and .12) ipfwadm -F -a accept -b -P udp -S 0.0.0.0/0 53 -D