Re: question about SPF (mr Meskes, I suppose?)
On Mon, Mar 20, 2000 at 06:56:53PM +0100, Giacomo Mulas wrote:
> Hello, I administer a packet filtering firewall and I would like
> to use SPF on it in order to only allow connections originating from the
> inside network to the outside network (the internet at large). Since the
> documentation on SPF is very terse, could someone post an example
> explaining how to configure spf on Debian in order to only allow, say, udp
> connection initiated from one side of the firewall and deny any incoming
> connection attempts from the other side?
Okay, here's a spf-rules file. Note, that this is untested though.
-P forward REJECT
-A input -j ACCEPT -s <your net> -d 0.0.0.0/0 -p udp
-A forward -j ACCEPT -p udp
-A forward -j REJECT -l
-A input -j REJECT -l
This is a very simple setup. As you see you just have to list the arguments
to ipchains. That's it. Note, however, that spf creates a new chain named
statinpt where all you're input rules will be located. So you cannot
specify a policy for input.
This should do the following:
- set forward policy to REJECT, so there is no forwarding once you shutdown
- allow input of udp packets from the inside to the internet
- forward all udp packets
- REJECT every other forwarding
- REJECT every other input
>From the top of my head this should work. The input rule for packets coming
back via udp will be created by spf.
> Question 2: since my firewall has to use proxy arp (the only
> way to have the brass here accept a firewall was to make it completely
> transparent for them, with no reconfiguration of anything in the
> inside network) does spf have any special problems with proxy arp?
Not that I know of any.
Michael Meskes | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz | Go Rhein Fire!
Tel.: (+49) 2431/72651 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De | Use PostgreSQL!