Re: no way to get out

To: Debian firewall list <debian-firewall@lists.debian.org>
Subject: Re: no way to get out
From: Douglas Maxwell <doug@turinglabs.com>
Date: Wed, 7 Apr 2004 08:55:23 -0400
Message-id: <[🔎] 20040407125523.GC10304@hades.themaxwells.org>
Mail-followup-to: Debian firewall list <debian-firewall@lists.debian.org>
In-reply-to: <[🔎] 1081274909.18554.20.camel@milka>
References: <[🔎] 1081274909.18554.20.camel@milka>

On Tue, Apr 06, 2004 at 09:08:01PM +0300, Eddy Petrisor wrote:
> > What version of fwbuider do you use? I have 1.0.0-2, and I can't find
> > any DNS .... no, wait! dns tcp, right? 

My version is 1.1.1-1, from unstable.

Actually, there is a group object called "DNS" that contains DNS UDP
and DNS TCP. Allowing them outbound from your firewall/server will
allow it to make DNS queries properly. Most go over DNS UDP, but
DNS UDP queries that result in a response of larger than 512 bytes
will typically get re-transmitted over TCP. 

> > what if I leave firewall:source
> > dest:any port:any accept , and the next, src:any  dest:fw port:any deny?

That's fine. I only suggested allowing DNS out because you said you
couldn't get out from your firewall. Sometimes this is just a symptom
of dropped DNS queries. If you are accepting all traffic out from the
firewall, disregard.

> > my fw is not a DNS, just a gateway..

I'm speaking about DNS clients, not servers. If your server/firewall
sends mail or you run "apt-get update" from it, you will see DNS
queries originating from that box.

> > > Using the firewall object itself in the source column with "Any" in
> > > the destination column will allow traffic originating on your
> > > firewall to go anywhere, internal or out to the Internet. If you
> > > wanted to restrict traffic based on interface, you would have to use
> > > the interface object in the source column.
> > > 
> > again, what version? I can't find any interface object, but hosts (I got
> > the ideea, but they could have made it cleaerer, luckly they got the
> > ideea right by now, as I see on their site and you statement...)

Sorry, what I'm referring to as "objects" is anything you drag from
the left tree view into a column in any rule. In this case, an
interface object is just what you see when you expand the firewall
object and see the interface names listed - the one with (ip) after it
can be used in a rule. The terminology might be my own.

> > > BTW, connections originating from the firewall traverse iptable's
> > > OUPUT chain.
> > > 
> > I see there are differences again, but I got the point.
> > (for me firewall-> iterfaces tab->policy attached to interface..)

The rule example I gave above applied to any interface, as I meant it
to be in the global firewall policy, not a specific interface
policy. If you have specific interface policies, you'll have to allow
outbound traffic on both the internal and external interfaces
explicitly.

You might find my site helpful, http://turinglabs.com , as it has some
stuff on iptables and networking, inckuding firewall builder. It may
also help to understand iptables by crafting a few rulesets by hand -
there is an excellent tutorial at
http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Doug

Reply to:

References:
- Re: no way to get out [stupid me,I sent it to the boot list]
  - From: Eddy Petrisor <eddyp-guest@userbeam.de>

Prev by Date: Re: anti spoofing / network address
Next by Date: Blocking windows messages
Previous by thread: Re: no way to get out [stupid me,I sent it to the boot list]
Next by thread: anti spoofing / network address
Index(es):
- Date
- Thread