Re: IP-Masquerade

To: Guilherme Soares Zahn <gzahn@cnen.gov.br>
Cc: Debian Users Mailing List <debian-user@lists.debian.org>
Subject: Re: IP-Masquerade
From: Paul Miller <pmiller@jove.acs.unt.edu>
Date: Tue, 17 Aug 1999 17:00:37 -0500
Message-id: <[🔎] 37B9DB85.D90DDF76@jove.acs.unt.edu>
References: <[🔎] 37B9BE67.4C2E6CA8@cnen.gov.br>

Guilherme Soares Zahn wrote:
> 
> The HOWTO suggested I should try something like
> 
> ipfwadm -F -p deny (setting 'deny' as the default rule)
> ipfwadm -F -a masquerade -P tcp 192.168.0.0/255.255.0.0 -D 0.0.0.0/0
> (and the same for udp)
> 
The problem here is that packets are given permission to flow only one
way through the firewall. They need permission to flow bothways.
Basically if you want to let packets out, you need to let packets in.
You can use the -b command-line parameter to say the rule is
bi-directional.

> I removed both lines and tried:
> 
> ipfwadm -F -p accept -m (default policy: accept, masquerading)
> 
> Now everuthing works fine, but I'm somehow suspicious this may open a
> whole in our security... does it? Is there a safer way to do it?
> 
The firewall itself is the only computer at direct risk here. Because of
masquerading, the computers on the inside of the firewall are safe as
long as someone does not break into the firewall itself. From the
firewall machine they can travel to inner parts of the network.

-- 
Paul Miller
pmiller@jove.acs.unt.edu

Where do all the bits go when the computer is done with them?

Reply to:

References:
- IP-Masquerade
  - From: Guilherme Soares Zahn <gzahn@cnen.gov.br>

Prev by Date: Re: Kernel Compilation Error?
Next by Date: Printing problem
Previous by thread: Re: IP-Masquerade
Next by thread: Re: IP-Masquerade
Index(es):
- Date
- Thread