Re: IP Masq and software various

["Danyell Wilt" <danyell ctelcom net>]

>2. On a standalone system, I want to automatically reject (or deny, BTW
>could someone explain the difference to me sometime when you're not busy)
>all packets coming out of 207.46.0.0/255.255.0.0
>I do that, but then I suddenly discover (gasp) that I actually have a
>friend at microsoft, and I want to be able to communicate with his machine
>in the 207.46.131 subnet. I add another rule to accept packets from his
>address, should I use "-a accept" or "-i accept" and why?

I'm not 100% sure on all of this (been a while since I read all the docs),
but "reject" sends a message back to the packet source and says it was
rejected. A deny packet simply "dies" at the firewall. Imagine a game of
battleship. Denying gives less information to a potential hacker.
I think you would use -i command. -i inserts at the begining and -a appends
to the end. I think the firewall looks at the rules in order. If the deny
207.46.0.0 rule is #1 a packet from 207.46.131.0 would be denied. If the If
the accept 207.46.131.x rule is #1 and the reject 207.43.0.0 rule is #2 a
packet from 207.46.131.x would be accepted, and a packet from 207.46.132.x
would be rejected.
BTW a simple ipfwadm -I -p deny is a good idea. A deny all policy is
desirable and only allow in what you want.

Danyell
>Smith & Wesson, the original point & click interface
>
>
>--
>  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> http://www.redhat.com http://archive.redhat.com
>         To unsubscribe: mail redhat-list-request redhat com with
>                       "unsubscribe" as the Subject.