Very Computer

Thanks, JP

#! /bin/sh
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x
kernels using IPCHAINS
#
# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP
MASQ modules
#          are shown below but are commented out from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the
PORT method
#
/sbin/modprobe ip_masq_ftp

# Supports the masquerading of RealAudio over UDP.  Without this
module,
#       RealAudio WILL function but in TCP mode.  This can cause a
reduction
#       in sound quality
#
/sbin/modprobe ip_masq_raudio

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
/etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is
received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in
the 192.168.0.x
#         network with a 255.255.255.0 or a "24" bit subnet mask.
#
#         Please change this network number and subnet mask to match
your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.1.0/24 -j MASQ

#! /bin/sh
# rc.firewall - Initial SIMPLE IP Masquerade test for 2.1.x and 2.2.x
kernels using IPCHAINS
#
# Load all required IP MASQ modules
#
#   NOTE:  Only load the IP MASQ modules you need.  All current IP
MASQ modules
#          are shown below but are commented out from loading.

# Needed to initially load modules
#
/sbin/depmod -a

# Supports the proper masquerading of FTP file transfers using the
PORT method
#
/sbin/modprobe ip_masq_ftp

#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
/etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "1" > /proc/sys/net/ipv4/ip_forward

# MASQ timeouts
#
#   2 hrs timeout for TCP session timeouts
#  10 sec timeout for traffic after the TCP/IP "FIN" packet is
received
#  160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
#
/sbin/ipchains -M -S 7200 10 160

# Enable simple IP forwarding and Masquerading
#
#  NOTE:  The following is an example for an internal LAN address in
the 192.168.0.x
#         network with a 255.255.255.0 or a "24" bit subnet mask.
#
#         Please change this network number and subnet mask to match
your internal LAN setup
#
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 10.1.1.0/24 -j MASQ

------------------  Posted via CNET Linux Help  ------------------
                    http://www.searchlinux.com

Providing a service from behind a ipmasquerade is quite different from
allowing outgoing sessions through the masquerade. Basically, you'll need
some form of proxy. Checkout socks for a set of suitable proxies.
Remember the outside world has no way of directly addressing the
ipaddresses behind the firewall and can only address a port on your
firewall so that port must start a proxy to relay the connection to your
designated server.

Regards,
John

Regardless, something is needed in addition to the base installed kernel and
ipchains, which is the point that I made. Proxies with socks has been the way
to deal with these situations since the late 80's (of course, back then we had
to live with commercial vendor handouts more often than not).

I don't think your comments contradicted mine at all, the distinction was just
the difference between doing it in or out of the kernel. To be frank, the
leading "No" is a little bit uncalled for.

However, I am quite intrigued by your mention of such features having already
been integrated into the kernel albeit not canonized as yet. It is a logical
extention of the ipchains redirect command and one would hope that such
functionality would be integrated into the distribution soon, saves us from
struggling with poor english documentation.

Thanks for the pointer to your web page. Your comments about virus
vulnerability shows an insight that many people seem to miss with computers
however I do have something to add which I'll post in another posting/email.

Regards,
John