Re: Redirecting ports & DHCP Question

To: Matthew Kopishke <matt@kopishke.org>
Cc: debian-firewall@lists.debian.org
Subject: Re: Redirecting ports & DHCP Question
From: "Jose A. Guzman" <jose@iteso.mx>
Date: Sat, 7 Jun 2003 00:06:20 -0500
Message-id: <[🔎] 1054962380.3ee172ccae42f@iteso.mx>
In-reply-to: <[🔎] AD374CEC-9831-11D7-95DC-0003938BA5DE@kopishke.org>
References: <[🔎] AD374CEC-9831-11D7-95DC-0003938BA5DE@kopishke.org>

Mensaje citado por Matthew Kopishke <matt@kopishke.org>:

> Hello folks.
> 
> I have set up a bridging firewall using iptables (2.4.19) and have a 
> quick couple of questions.
> 
> Before I ask my questions I just feel the need to say that the bridging 
> and firewalling code (in this case I mean when the two are used 
> together) has matured quite nicely.  I set up a firewall a year or two 
> ago using 2.2.X/ipchains with brcfg, which at the time seemed a bit 
> like black magic. :)
> 
> Anyway, the first question is I have a Squid Proxy server running on 
> port 13001 doing some caching/filtering.  I was wondering, if it's 
> possible to just have my firewall redirect port 80 to port 13001?  It 
> seems posable, but browsing the man page I didn't find anything that 
> jumped out at me (well there was some NAT stuff, but this isn't a NAT).
> 
> The other question is one that I'm just having trouble tracking down 
> ports on.  We get our IPs via DHCP from a server outside our network 
> and there for out side the firewall.  I can't seem to be able to open 
> up the holes I need to let the DHCP request/responses flow through.  
> What I have done is open up port 67 & 68 to 0/0, I think that's the 
> first part of the equation, but I'm not sure what the second is.  I'm 
> going to keep wading through the DHCP documentation, but if some who 
> has been there and done that would be so kind...
> 


 As a dhcp client, you also have to allow traffic in the OUTPUT chain destined
at the broadcast address. And to be on the safe side, try both with the 'whole'
broadcast 255.255.255.255 and with the network broadcast (like 245.221.3.255 for
a class C network), and see which one works for you. 

 Also note that although non-standard, some network admins switch the network
address to the highest and the broadcast to the lowest in the subnet (broadcast
would be 245.221.3.0 and network address would be 245.221.3.255 in the example).

 I'm not sure on this (need to check the DHCP RFC), but maybe you have to allow
traffic sourced from the broadcast address in the INPUT chain also.



> Thanks,
> 
> Matt
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


 José

---

Reply to:

References:
- Redirecting ports & DHCP Question
  - From: Matthew Kopishke <matt@kopishke.org>

Prev by Date: Re: Redirecting ports & DHCP Question
Next by Date: Limit number of simultaneous TCP connections per IP
Previous by thread: Re: Redirecting ports & DHCP Question
Next by thread: Re: Redirecting ports & DHCP Question ** Resolved
Index(es):
- Date
- Thread