[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: question about SPF (mr Meskes, I suppose?)

On Mon, Mar 20, 2000 at 06:56:53PM +0100, Giacomo Mulas wrote:
> 	Hello, I administer a packet filtering firewall and I would like
> to use SPF on it in order to only allow connections originating from the
> inside network to the outside network (the internet at large). Since the
> documentation on SPF is very terse, could someone post an example

You bet!

> explaining how to configure spf on Debian in order to only allow, say, udp
> connection initiated from one side of the firewall and deny any incoming
> connection attempts from the other side?

Okay, here's a spf-rules file. Note, that this is untested though.
-P forward REJECT
-A input -j ACCEPT -s <your net> -d -p udp
-A forward -j ACCEPT -p udp
-A forward -j REJECT -l
-A input -j REJECT -l

This is a very simple setup. As you see you just have to list the arguments
to ipchains. That's it. Note, however, that spf creates a new chain named
statinpt where all you're input rules will be located. So you cannot
specify a policy for input.

This should do the following:
- set forward policy to REJECT, so there is no forwarding once you shutdown
- allow input of udp packets from the inside to the internet
- forward all udp packets
- REJECT every other forwarding
- REJECT every other input

>From the top of my head this should work. The input rule for packets coming
back via udp will be created by spf.

> 	Question 2: since my firewall has to use proxy arp (the only
> way to have the brass here accept a firewall was to make it completely
> transparent for them, with no reconfiguration of anything in the
> inside network) does spf have any special problems with proxy arp?

Not that I know of any.

Michael Meskes                         | Go SF 49ers!
Th.-Heuss-Str. 61, D-41812 Erkelenz    | Go Rhein Fire!
Tel.: (+49) 2431/72651                 | Use Debian GNU/Linux!
Email: Michael@Fam-Meskes.De           | Use PostgreSQL!

Reply to: