Very Computer

Hi !

When I install the configuration below I can't telnet/ping/ftp 10.0.0.1
- why ? 10.0.0.1 should be in 10.0.0.0/0 ...

FW=/sbin/ipfwadm
EXT_IF1=eth1
EXT_IF2=ippp0
INT_IF=eth0
LOOP_IF=lo
LOCALHOST=10.0.0.1
LAN=10.0.0.0/8

${FW} -F -f
${FW} -I -f
${FW} -O -f

${FW} -F -p deny
${FW} -I -p deny
${FW} -O -p deny

# loopback
${FW} -I -a accept -S ${LOOPBACK} -D ${LOOPBACK} -W ${LOOP_IF}
${FW} -O -a accept -S ${LOOPBACK} -D ${LOOPBACK} -W ${LOOP_IF}

# LAN
${FW} -I -a accept -S ${LAN} -D ${LOCALHOST} -W ${INT_IF}
${FW} -O -a accept -S ${LOCALHOST} -D ${LAN} -W ${INT_IF}

On Fri, 05 Feb 1999 10:56:28 +0100, Michael Agbaglo

True, 10.0.0.1 is covered by 10.0.0.0/8 (not /0, but I suppose that's
a typo you made). Let's have a look at your script.

Quote:>FW=/sbin/ipfwadm
>EXT_IF1=eth1
>EXT_IF2=ippp0
>INT_IF=eth0
>LOOP_IF=lo
>LOCALHOST=10.0.0.1
>LAN=10.0.0.0/8

OK. Note, however, that you don't define $LOOPBACK, which your script
uses below. This should cause an ipfwadm error message, though. Have
you tried invoking the script from the command line so you can see its
output?

Quote:>${FW} -F -f
>${FW} -I -f
>${FW} -O -f

Flushing all rules - ok.

Quote:>${FW} -F -p deny
>${FW} -I -p deny
>${FW} -O -p deny

Setting default policies to deny - ok.

Quote:># loopback
>${FW} -I -a accept -S ${LOOPBACK} -D ${LOOPBACK} -W ${LOOP_IF}
>${FW} -O -a accept -S ${LOOPBACK} -D ${LOOPBACK} -W ${LOOP_IF}

These rules concerning the lo interface may be too strict. I believe I
had to extend them in my case. I suggest you install a catch-all rule
that logs any packets that aren't covered by your rules, see below for
an explanation.

Quote:># LAN
>${FW} -I -a accept -S ${LAN} -D ${LOCALHOST} -W ${INT_IF}
>${FW} -O -a accept -S ${LOCALHOST} -D ${LAN} -W ${INT_IF}

This looks good. You don't need a protocol identifier (its absence
struck me as a little odd at first) as you don't specify any ports. I
don't see why your rules should disable telnet from the LAN to the
Linux box, so I suggest you add the logging parameter to your rules,
i.e. append a '-o' to all of them. You should also install the
following catch-all rules, placing them below the rules you have so
far:

$FW -I -a deny -S 0/0 -D 0/0 -o
$FW -F -a deny -S 0/0 -D 0/0 -o
$FW -O -a deny -S 0/0 -D 0/0 -o

These won't change the behaviour of your Linux box, but they will log
any denied packets, so you can monitor /var/log/messages while
attempting your telnet connection and see if the firewalling rules are
the reason it isn't working.

Oh, you could also check if the rules are installed properly at all by
examining the output of 'ipfwadm -Ilne ; ipfwadm -Flne ; ipfwadm
-Olne'.

Tobias