[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[linux-security] Re: IP Filters and Masq: last questions



Mailing Lists wrote:

> I have some last questions about IP and Masq.
> 
> This is the network configuration I have now:
> 
> |INTERNET|---|CISCO|---<DMZ>---|FIREWALL, IP+MASQ|---|INTERNAL NET|
> 
> The firewall is a minimal RH51 that only accepts SSH connections from
> selected hosts and has no redir software.
> 
> >From the comments I've been reveiving, I know that tcp connections are
> secured.  What about udp, icmp, ipx/spx or any other I don't know about?
> Are the blocked to or they pass thru?

It depends upon how the firewall is configured. If your only
forwarding rule is one which masquerades packets coming from the
internal network, then you're safe; nothing else will be forwarded.

E.g. if you have:

	ipfwadm -Fp reject
	ipfwadm -Fma accept -S x.x.x.x/x

where x.x.x.x/x is the internal network, then packets from the
internal network will be forwarded and masqueraded, any replies (or
related ICMP errors) will be demasqueraded and forwarded, and anything
else will be rejected.

This assumes that you also have something like:

	ipfwadm -Ia accept -S x.x.x.x/x -W eth0
	ipfwadm -Ia reject -S x.x.x.x/x

to prevent IP spoofing (assuming that eth0 is connected to the
internal network). You can't do this in the forwarding rules as -W/-V
in forwarding rules refers to the destination interface.

Note that the kernel's IP forwarding only applies to IP. It won't
forward non-IP packets (e.g. IPX, AppleTalk, ...).

> If they pass, what measures do I have to filter or block them?

Just ensure that your default forwarding policy is reject or deny, and
only forward the traffic that you want to. With masquerading, you
don't need to explicitly forward any inbound packets.

-- 
Glynn Clements <glynn sensei co uk>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]