ipfwadm & masquerade

ipfwadm & masquerade

Post by Patrick Financ » Tue, 31 Aug 1999 04:00:00



Hi,

I'm trying to configure a Firewall securised and giving access to the
Internet to my local network.

Here is a part of my rc.firewall file:
#!/bin/sh
# patch for the FTP Masq
modprobe ip_masq_ftp

# flush everything
ipfwadm -F -f
ipfwadm -O -f
ipfwadm -I -f

# default policy : deny
ipfwadm -F -p deny
ipfwadm -I -p deny
ipfwadm -O -p deny

# masquerade lines
ipfwadm -F -a accept -m -S 172.16.6.0/255.255.255.0 -D 0.0.0.0/0

# other lines regarding the firewall security... (not put in this message).

It works if I put accept as default policy, but if I put deny, my masquerade
won't work.
I must have forgotten some more lines in this configuration to make my
masquerade work.

Please, if someone could give me the lines which are missing. I have already
looked at some Howtos, but they don'y give me a working config. Need
someone's experience.

Cheers
Guillaume

 
 
 

ipfwadm & masquerade

Post by Gilles » Tue, 31 Aug 1999 04:00:00


I wish you put a :
LOCNET="172.16.0.0/24"
ANY="0.0.0.0/0"
...
ipfwadm -F -p deny
...
and at the finish line :
ipfwadm -F -a accept -m -S $LOCNET -D $ANY
You can see about 24 for mask, and not 255.255.255.0
That was an error...
A bientot sur le net.
Gilles



Quote:> Hi,

> I'm trying to configure a Firewall securised and giving access to the
> Internet to my local network.

> Here is a part of my rc.firewall file:
> #!/bin/sh
> # patch for the FTP Masq
> modprobe ip_masq_ftp

> # flush everything
> ipfwadm -F -f
> ipfwadm -O -f
> ipfwadm -I -f

> # default policy : deny
> ipfwadm -F -p deny
> ipfwadm -I -p deny
> ipfwadm -O -p deny

> # masquerade lines
> ipfwadm -F -a accept -m -S 172.16.6.0/255.255.255.0 -D 0.0.0.0/0

> # other lines regarding the firewall security... (not put in this
message).

> It works if I put accept as default policy, but if I put deny, my
masquerade
> won't work.
> I must have forgotten some more lines in this configuration to make my
> masquerade work.

> Please, if someone could give me the lines which are missing. I have
already
> looked at some Howtos, but they don'y give me a working config. Need
> someone's experience.

> Cheers
> Guillaume


 
 
 

ipfwadm & masquerade

Post by Allen Won » Tue, 31 Aug 1999 04:00:00


Patrick,

    Do you mean you need to put ACCEPT as the default policy for all
your ipfwadm rules or just your forwarding ruleset?

Allen
--
Linux:  If you're not careful, you might actually learn something.

 
 
 

ipfwadm & masquerade

Post by Patrick Financ » Tue, 31 Aug 1999 04:00:00


To secure my firewall, i want to put deny on everything (Input, Output,
Forward), and then add accept lines to for instance allow my local network
to access Internet.

What I'm looking for is:

after I have denied everything (ipfwadm -F -p deny / ipfwadm -I -p deny /
ipfwadm -O -p deny), how can I let my local network to access the Internet
using the Masquerade.]

the line I have put is :
ipfwadm -a accept -m -S 172.16.6.0/255.255.255.0 -D 0.0.0.0/0

this line doesn't seem to be enough to let my local network to access the
Internet. Do u have any idea of what lines I should add to make this work?

 
 
 

ipfwadm & masquerade

Post by Patrick Financ » Tue, 31 Aug 1999 04:00:00


Sorry, but this doesn't change nothing to my config.

I'm actually using this method to write my scripts, but I just gave a simple
example.

What I was looking for was any suggestion to make my masquerade work.

Regards
Patrick


>I wish you put a :
>LOCNET="172.16.0.0/24"
>ANY="0.0.0.0/0"
>...
>ipfwadm -F -p deny
>...
>and at the finish line :
>ipfwadm -F -a accept -m -S $LOCNET -D $ANY
>You can see about 24 for mask, and not 255.255.255.0
>That was an error...
>A bientot sur le net.
>Gilles



>> Hi,

>> I'm trying to configure a Firewall securised and giving access to the
>> Internet to my local network.

>> Here is a part of my rc.firewall file:
>> #!/bin/sh
>> # patch for the FTP Masq
>> modprobe ip_masq_ftp

>> # flush everything
>> ipfwadm -F -f
>> ipfwadm -O -f
>> ipfwadm -I -f

>> # default policy : deny
>> ipfwadm -F -p deny
>> ipfwadm -I -p deny
>> ipfwadm -O -p deny

>> # masquerade lines
>> ipfwadm -F -a accept -m -S 172.16.6.0/255.255.255.0 -D 0.0.0.0/0

>> # other lines regarding the firewall security... (not put in this
>message).

>> It works if I put accept as default policy, but if I put deny, my
>masquerade
>> won't work.
>> I must have forgotten some more lines in this configuration to make my
>> masquerade work.

>> Please, if someone could give me the lines which are missing. I have
>already
>> looked at some Howtos, but they don'y give me a working config. Need
>> someone's experience.

>> Cheers
>> Guillaume

 
 
 

ipfwadm & masquerade

Post by Allen Won » Tue, 31 Aug 1999 04:00:00


Patrick,

    If the default policy for your input ruleset is deny, you will need
to open up your gateway to data packets from your local network.  Do you
have such a rule?  It should look like this:

/sbin/ipfwadm -I -a accept -S 172.16.6.0/24 -D 0/0

You should also have a proper output rule, something like:

/sbin/ipfwadm -O -a accept -S 172.16.6.0/24 -D 0/0

Actually, I don't think you need to set the policy for outgoing packets
to "DENY".  If someone is smart enough to get past your firewall, he's
probably smart enough to change your firewall rules.
    If you post your entire ruleset for input, output and forward, we
can examine it to see what's wrong.  As you're using Outlook Express to
do this, you should probably save your firewall script on a vfat floppy
and send it as a file attachment.

Allen
--
Linux:  If you're not careful, you might actually learn something.

 
 
 

1. ipfwadm & masquerading

    Hi,

    I've been trying to forward packets thru a multi-homed firewall.
Since the inner network has 192.168.x.x addresses, I need to masquerade
outgoing packets.
The TCP connection works perfectly. I can open a telnet connection, or
whatever
uses TCP, thru the firewall.
    However, the same rule applied to udp packets instead of tcp fails.
If I try to open an FTP connection for example (no to talk about ping),
everything goes well until I issue a 'dir' command for example. My
understanding of the FTP protocol is that it opens an udp connection at
that point.
    I did try to forward udp packets over two networks sharing the same
IP address, and it works, so I am wondering wether IP masquerade is
actually working for UDP?

    Anyone has an answer or idea about the problem?

    TIA for any help.

--
+------------------------------------------------------+----------------+


|
+------------------------------------------------------+----------------+

|    I have no talent. I make a quick mind my talent.  |   My opinions
|
| I have no castle. The immutable spirit is my castle. | are my very
own|
+------------------------------------------------------+----------------+

2. ruptime: no hosts in /var/rwho ??? What does this mean ? HELP

3. ipfwadm & masquerade

4. Programatically retrieve Platform Name

5. ipfwadm & udp masquerade

6. XF86 2.0 Mono/Hercules does not restore text mode on exit

7. IP masquerade & ipfwadm

8. How to set the maximum connection number for each user in socks server?

9. Kernel 2.1.8 breaks ipfwadm/masquerading?

10. ipfwadm masquerade rules ??

11. ipfwadm and masquerading

12. IPFWADM/ IPFW- Masquerading Question

13. ipfwadm not masquerading SMTP traffic