RE: UDP Forwarding & Ipchains

To: 'Kevin Gourley' <qkev@cr430692-a.rchrd1.on.wave.home.com>, debian-firewall <debian-firewall@lists.debian.org>
Subject: RE: UDP Forwarding & Ipchains
From: Jason Mogavero <jmogavero@inflow.com>
Date: Wed, 24 Jan 2001 10:34:05 -0700
Message-id: <[🔎] 33367934AB40D41190D10008C7C9CE00E8AD00@columbus.admin.corp.inflow.com>

> So I open up the outgoing for each port ALL 3 rules.
> This works.
> Why do I need to open the outgoing, shouldn't
> my MASQ line cover that?

  You said you were using the strong ruleset...I don't know the rules in it
off the top of my head, but I'm betting it's only allowing commonly used
outbound services.  (http, dns, smtp, pop3, etc)

> ps... And what is DMZ?

DMZ, or De-Militarized Zone (taken from US military terminology) is a
section of your network that's protected by a firewall but has internet
routable IP addresses (or is statically NAT'ed) so that it can be reached
directly from the internet.  Many servers need this scenario, as you can't
access a system that is behind a hide-NAT.  (Or masquerading as it's
commonly called in the Linux world)  

A common scenario is something like this:

                     ____________
			   |          |
                     | Internet |
                     |          |
                      ----------
                           |
                           |
                        ___________
                        |          |
                        |Firewall  |
                        |          |
                        -----------
                          |       |
                          |       |              
                          |       |
                          |       |
                        _____    _______
                        |    |   |Priv.|        Private
                Public  |DMZ |   | LAN |  <--     IP
                 IP  -->|    |   |     |        Addressing  (ex. 10.1.1.x)
               Addressing-----   -------


All the servers in the DMZ have real internet IP addresses (or are directly
translated to them, which people like to do for some ridiculous reason,
possibly thinking it actually protects them) and the internet sees them as
such.  Everything in the office LAN is seen by the internet as one IP
address, just as your network behind your masquerading Linux firewall is
seen.  

I hope this lengthy reply answers your question.  =)  



Jason Mogavero
Sr. Network Engineer
Inflow, Inc
(303)942-2828


> -----Original Message-----
> From: Kevin Gourley [mailto:qkev@cr430692-a.rchrd1.on.wave.home.com]
> Sent: Wednesday, January 24, 2001 1:11 AM
> To: debian-firewall
> Subject: UDP Forwarding & Ipchains
> 
> 
> 
> Hey.. I have Ipchains setup with the strong ruleset, and masqing.
> I want to host Delta Force Land Warrior games on an internal machine.
> I will be using 3 ports (udp only) for this until I determine what of
> those I do not require. :)
> 
> I add an ipmasqadm portfw line after my ipchains for each port.
> This alone does not work, so I Accept for each port in input, output,
> and forward rules.
> This also does not work.
> 
> A incoming connection goes through Input, Forward, then Output,
> correct? What would be the route for outgoing, the same?
> 
> ps... And what is DMZ?
>   :P
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
>

Reply to:

Prev by Date: Re: Rewrite MAC-adr on outgoing packages?
Next by Date: Re: Rewrite MAC-adr on outgoing packages?
Previous by thread: UDP Forwarding & Ipchains
Next by thread: Re: mac address
Index(es):
- Date
- Thread