Port forwarding with Ipmasq and DSA-389-1

To: debian-firewall@lists.debian.org
Subject: Port forwarding with Ipmasq and DSA-389-1
From: "Tom Goulet (UID0)" <uid0@em.ca>
Date: Sun, 21 Sep 2003 20:48:19 +0000
Message-id: <[🔎] 20030921204819.GA2229@nova.vor.em.ca>
Mail-followup-to: "Tom Goulet (UID0)" <uid0@em.ca>, debian-firewall@lists.debian.org
In-reply-to: <20030920220501.GH24114@alcor.net>
References: <20030920220501.GH24114@alcor.net>

On Sat, Sep 20, 2003 at 06:05:01PM -0400, Matt Zimmerman wrote:
> Subject: [SECURITY] [DSA-389-1] New ipmasq packages fix insecure
> packet filtering rules

| #$IPTABLES -A FORWARD -o $i -i ${j%%:*} -d $IPOFIF/$NMOFIF -j ACCEPT
| $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

This broke the port forwarding rules I have.  I don't know what I'm
doing, but now the forwarding rules I have in <rules/F10portfw.rul>
don't help me (and if I reverse the comment above, things work again). 
| $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \
|         -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
| $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 515 \
|         -j DNAT --to $PRINTERIP:515

What should I do get port forwarding working with this security fix
intact?  Perhaps you only need to add "NEW" to the above state line?

Please give me CCs, because I am not subscribed.

-- 
Tom Goulet				mail: uid0@em.ca
UID0 Unix Consulting			web:  em.ca/uid0/

Attachment: pgprlUI7BNjgM.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Port forwarding with Ipmasq and DSA-389-1
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: [LARTC] REJECTing: How and When to use What type of reply.
Next by Date: Re: Port forwarding with Ipmasq and DSA-389-1
Previous by thread: Re: [LARTC] REJECTing: How and When to use What type of reply.
Next by thread: Re: Port forwarding with Ipmasq and DSA-389-1
Index(es):
- Date
- Thread