Re: your mail

To: debian-firewall@lists.debian.org
Subject: Re: your mail
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Thu, 28 Jun 2001 13:46:26 -0700
Message-id: <20010628134626.A1825@doorstop.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <014801c0ff9c$38b2d900$ad0110ac@cybernet>

Hello Abu,

It sounds to me like you're unclear on what that statement you
executed did. If you follow the advice given earlier in this thread
and set up a packet filter, it still won't work because you now have
forwarding disabled. Then you'll write another email and they'll tell
you to echo "1" > /proc/sys/net/ipv4/ip_forward, and it will start
working again, but you still may not understand _why_...

Following directions given elsewhere, you should be able to come up
with a set of ipchains rules that will filter any traffic passing
through your box. In order for the packet filter rules to accomplish
anything at all, you'll need for there to be traffic running through
the box to filter!

That you noticed that someone was able to connect to icq before
indicates that you (at least at one time) had your machine correctly
set up to forward packets through it to the Internet.

Other people on the list have correctly suggested that you should add
a packet filter for security. I think the advice telling you "if you
want to disallow access to icq, disable forwarding" was sort of like
saying "if you don't want to get killed in a car accident, stay home."
Sure, you can't connect to icq if you can't connected to the Internet.

But there are other ways. There are safety belts. There are air bags.
There are Volvos.

You'll need to re-enable ip_forwarding, but make sure that you have
fastened your seat belt (set up your firewall) correctly first. Also
look at the files /etc/network/options and /etc/init.d/networking .
When you echo "0" or "1" > /proc/sys/net/ipv4/ip_forward, you tell the
kernel to disable or enable ipv4 forwarding, but in order to tell
Debian that this machine will be doing this on a regular basis, you'll
have to set it in /etc/network/options, and /etc/init.d/networking
will read that file and notify the kernel appropriately on each boot.

I may not have been much specific help, but I hope I persuade you to
dig a little and understand what we're talking about when we say
"forwarding" and "packet filter" and how to find out more about them.

If I was wrong and you really do know what you're doing, I apologize
for having assumed otherwise, and hopefully my words will help someone
else on the list.

Vineet

* Abu H R (abu@nirwanalestari.com) [010628 12:23]:
> I have tried using {echo "0" /proc/sys/net/ipv4/ip_forward} and after that i the abuser is stopped but it is also stop the other client to using outlook express.
>
>
>

Attachment: pgpXpSh1YoLpL.pgp
Description: PGP signature

Reply to:

References:
- [no subject]
  - From: "Abu H R" <abu@nirwanalestari.com>

Prev by Date: Re: ipchains logging to console
Next by Date: smtp daemons
Previous by thread: Re: your mail
Next by thread: How do I surely know I'm connected ?
Index(es):
- Date
- Thread