>I just don't get it.
>How should I configure my firewall/masquerading to be hacker proof?
Is this an official net, registered with the NIC? If not, I suggest youQuote:>I have read the ipfwadm manual over and over again..
>I use 10.0.0.x for local net
>I use 220.127.116.11 & .100 for net between router & Linux (router deliv. default)
reconfigure your router and Linux box to use private addresses, if only to be
on the safe side. And it could be you actually want to connect to a
181.100.100.x host as well, who knows? ;)
OK.Quote:>Linux: RH 5.0, 3 Modems+ppp+mgetty, 2 eth's
> eth0 10.0.0.1 (to hub)
> eth1 18.104.22.168 (crossed TP-cable to router)
> Default route: 22.214.171.124
> DNS: our ISP
>Router: Ascend Pipeline 25-Px ISDN router (autom. connects to ISP when needed)
> eth0: Dynamic IP from ISP at connect
> eth1: 126.96.36.199 (net to linux box, crossed TP-cable)
>PC's: WinNT, Win95, Win98, modems and/or eth (10.0.0.2 -> .100)
> Gateway: 10.0.0.1
> DNS: our ISP
Modem connected?Quote:>Today: It works. (almost, and not secure enough)
>ok: Linux can access the Internet and the local net
>ok: All PC's can access the Internet
>ok: All PC's can access the local net (ethernetted as well as modem connected)
The ports used are 137 through 139. To block them, use these rules on theQuote:>not ok: When a Win95 starts up, i can see (using tcpdump) netbios-*
> traffic going out trough the router.. (I just cant stop this!)
Linux box to block NetBIOS traffic:
ipfwadm -O -a deny -P tcp -S 188.8.131.52/32 -D 0/0 137:139 \
ipfwadm -O -a deny -P udp -S 184.108.40.206/32 -D 0/0 137:139 \
>- Same as above, but fixed netbios-traffic
Either deny any SYN packets or accept only ACK packets from the outside.Quote:>- Denying of incoming packets initiated from the outside
Write rules for all protocols you want to support and include the 'ACK bitQuote:>- Allowing incoming "response packets", responses to inside-initiated traffic
must be set' flag (-k) in any inbound TCP response rules. For UDP this can't
be done, since it doesn't know the concept of response packets, since it's a
connectionless protocol. You won't want UDP traffic to be allowed in general,
This is contradictory to your security requirement, I'm afraid. You can onlyQuote:>- I want the PC's be able to use all/most facilities of Internet (masquerading)
allow what you know is safe. And write appropriate rules. It's a complicated
Broadcasts do not cross routers, they'll even stop at the Linux box. Turn offQuote:>- I do not want M$-NW traffic (broadcasts etc.) going out the router.
IPX support in the Linux kernel to be absolutely safe it won't route any IPX
traffic. It won't be able to do that unless you install an IPX routing daemon
Hmm.. could be you need to block DNS lookups then. Coming from port 137 andQuote:> (Connection to ISP established every time a PC starts up/browses M$-net = money)
going to port 53 on the DNS server, UDP. Maybe followed by a TCP query on the
same ports if unsuccessful, but I'm not sure about that. Log some packets to
see (use '-o' in ipfwadm and check /var/log/messages on the Linux box)
What is unwanted? Remember though, that ipfwadm can only distinguish packetsQuote:>- I want to block unwanted traffic from the Internet
by OSI levels 3 and 4, i.e. TCP/IP. For higher-level checks you need proxy
servers running as bastion hosts.
Haven't done that yet, sorry. Should work with mgetty, though.Quote:>- I want PC's dialing into Linux modems to access the local net (TCP/IP & M$-nw)
I suggest you learn ipfwadm itself, it isn't that hard after a short while.Quote:>I also tried the fwconfig program (web-based) but I don't understand the
>generated rules... (It seems as if they took it away.. it used to be at
>http://www.openpro.org/fwconfig but it's not there anymore..!)
The ruleset can become very complicated, but no front end will be able to help
you about that, you absolutely need to understand your rules.
Sure, email me and tell me exactly what you want to do if you run intoQuote:>Please, could any kind soul help me to generate a (well commented) script?
difficulties. But read the ipfwadm and ipfw man pages first and gather some
information about the protocols you want to allow.