Re: Re[2]: firewall script fighting

To: tim@atomstrahl.de, debian-firewall@lists.debian.org
Subject: Re: Re[2]: firewall script fighting
From: Ray Olszewski <ray@comarre.com>
Date: Sun, 01 Apr 2001 22:44:14 -0700
Message-id: <2.2.32.20010402054414.00dfbd78@[192.168.1.23]>

At 07:28 PM 4/1/01 +0200, tim@atomstrahl.de wrote:
...
>the server is the router itself (potato). the router=server ist
>connected to the internet via isdn and i am on dynamic IP.
>
>
>RO> If it is the router itself, you need to be more specific than "nobody can
>RO> connect to my server". As I read your ruleset, you have not opened any
>RO> destination ports in the typical range (1-1024) for standard services. For
>RO> each service you want to make accessable, you need an input-chain rule
>RO> something like this:
>
>RO>     ipchains -A input -i $DEV_INET -p tcp -d a.b.c.d/32 443 -j ACCEPT
>
>hm, i thought i did open specific services, for example:
>
>#----- HTTP erlauben ----->
>ipchains -A output -i $DEV_INET -p tcp -d $INET 80 -j ACCEPT
>ipchains -A input -i $DEV_INET -p tcp -s $INET 80 -j ACCEPT ! -y

Look at the input-chain rule first. It ACCEPTs traffic *from* port 80. If
you want to run a Web (http) server on your router (not a smart thing to do
in my opinion, but it's your LAN), you need to ACCEPT traffic *to* port 80.
Note that my example uses the -d flag, not the -s flag. Also, the "! -y"
option you use blocks initiation packets, accepting only reply packets (the
man page could explain this a bit more clearly, but it is there).

The outpur rule is irrelevent. It ACCEPTs traffic going *out* on the
external interface ($DEV_INET) to other sites (0/0).

>where $INET=0.0.0.0/0, maybe this is my mistake. do i have to enter
>the real IP of the external interface? this would mean i have to reget
>my ip every time i reconnect to internet cause i am on dialup ?

This really depends on how much you want your firewall to protect you. You
can ACCEPT traffic on port 80 with any destination, and I can't immediately
see an added risk caused by that, but it does make your system more open.
But that is a different problem from the one you actually have, which is a
scrambling of the -s and -d flags.

[old stuff deleted]

--
------------------------------------"Never tell me the odds!"---
Ray Olszewski                                        -- Han Solo
Palo Alto, CA           	 	         ray@comarre.com        
----------------------------------------------------------------

Reply to:

Prev by Date: Re[2]: firewall script fighting
Next by Date: Re: Active & passive FTP
Previous by thread: Re[2]: firewall script fighting
Next by thread: Re: bridging
Index(es):
- Date
- Thread