[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Firewall Stuff

To: "Sheflug" <sheflug [at] vuw.ac.nz>
Subject: Re: [Sheflug] Re: Firewall Stuff
From: "Chris J/#6" <nospam [at] nccnet.co.uk>
Date: Sun, 07 Jan 2001 17:36:00 +0000
List-help: <http://www.sheflug.co.uk>
List-owner: <mailto:sheflug-admins [at] vuw.ac.nz>
List-post: <mailto:sheflug [at] vuw.ac.nz>
List-subscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=subscribe>
List-unsubscribe: <mailto:sheflug-request [at] vuw.ac.nz?Subject=unsubscribe>
Reply-to: "Sheflug" <sheflug [at] vuw.ac.nz>
Sender: chris [at] infinitum.madhouse
Sender: sheflug-bounce [at] vuw.ac.nz



> No, I'd really like to learn more about firewalls.  Help from Alex and
> a mix and match between books seems to be working.  The IPCHAINS howto
> is a museum piece in comparison with the Linux and open BSD security
> books.
> 
> Looking at the stuff in front of me it's become obvious that some
> people prefer to start with a DENY policy at the top and others prefer
> an ACCEPT policy and then block out a few things.  DENY is fine for a
> single dialup box but it doesn't like home networks.
> 
> When I've finished this one I have to try to work out dial on demand
> with i4L.  I thought diald might work but I can't find anyone who
> knows anything about using it with isdnctrl and friends.
> 
> Thanks

Using a default policy of DENY does work for home networks -- I've always had 
ipfwadm and ipchains with this policy since student days and house networks 
:) Only got two boxes on now, but it works fine.

What you really need to do is something like:
	- set input policy DENY, output ACCEPT, forward DENY
	- masquarade packets on your internal net to the internet
	- allow inbound TCP packets that are not requesting a
		connection - this'll make all your web stuff work from
		the firewall box.
	- allow known UDP packets through the firewall - this will
		probably just be DNS, so the firewall needs to allow
		UDP packets that have a source port of 53. You can
		usually configure bind to have a fixed client port,
		so you can tighten the rule to say UDP source 53,
		dest 1024 (or whatever).

You may (or may not) be interested in the firewall script I've got which 
allows you to forget about the numerous switches in ipchains, and just 
concentrate on the firewall rules - basically, the script parses a config 
file with all the firewall rules in. If interested, 
http://www.nccnet.co.uk/~sixie/firewall-rc-1.2.tar.gz is where you can fetch 
it from. There's a rather comprehensive commented config with it as well. It 
may help you, or it may confuse you even more :)

Chris...




-- 
Chris Johnson            \  "If not for me then, do it for yourself. If not
sixie@nccnet.co.uk        \  for then do it for the world." -- Stevie Nicks
www.nccnet.co.uk/~sixie/   ~---------------------------------------+
Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000   \______


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.

Follow-Ups:
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>

References:
- [Sheflug] Re: Firewall Stuff
  - From: Richard <richard [at] sheflug.co.uk>

Prev by Date: [Sheflug] Re: Firewall Stuff
Next by Date: Re: [Sheflug] Re: Firewall Stuff
Prev by thread: [Sheflug] Re: Firewall Stuff
Next by thread: [Sheflug] Re: Firewall Stuff
Index(es):
- Date
- Thread