Q010797
asked on
Hardware, not definately linux problem (firewall)
Heya all..
I want to setup a decent firewall using some hardware. What is the best thing to get for basic firewalls ? a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?
Andrew
q@qonline.com.au
I want to setup a decent firewall using some hardware. What is the best thing to get for basic firewalls ? a NIC with firewall on it somehow or does one have to go all out and buy some $4000 3com product ?
Andrew
q@qonline.com.au
ASKER
nope. . doesn't stop incoming requests . .only outgoing.
I'm sorry, but you're wrong. Linux firewalling can grab packets in three points through the routing mecanism: You can put rules to the packet when they are Incoming, when they're Outgoing and when they're getting Forwarded, not to say you can specify packets trying to stablish a connection (-y), or ACKnowledging packets, select tcp, udp or even icmp (and masquerade them), check if the packet will be accepted, denied or rejected, redirect local ports, change type of service field...
And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.
Good Luck,
-- Marcelo
And I can see you haven't read the draft about ipchains implemented on kernels 2.1.102 and above, have you? There is an interesting HOWTO you should read.
Good Luck,
-- Marcelo
ASKER
I can't afford to use development kernels.. I need the stability of the 2.0.xx kernels.
And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
And can you tell me why my ipfwadm firewalling only works on outgoing packets... not incoming ?
how about posting:
ipfwadm -n -l -I
ipfwadm -n -l -O
ipfwadm -n -l -F
ipfwadm -n -l -M
ipfwadm -n -l -I
ipfwadm -n -l -O
ipfwadm -n -l -F
ipfwadm -n -l -M
ASKER
IP firewall input rules, default policy: accept
IP firewall output rules, default policy: accept
IP firewall forward rules, default policy: accept
type prot source destination ports
deny tcp 203.103.144.0/24 0.0.0.0/0 * -> 80
deny tcp 203.103.236.0/24 0.0.0.0/0 * -> 80
deny tcp 203.103.144.0/24 0.0.0.0/0 * -> 8080
deny tcp 203.103.236.0/24 0.0.0.0/0 * -> 8080
deny tcp 203.103.236.16 0.0.0.0/0 * -> 21
deny tcp 203.103.236.16 0.0.0.0/0 * -> 119
deny tcp 203.103.236.28 0.0.0.0/0 * -> 21
deny tcp 203.103.236.28 0.0.0.0/0 * -> 119
deny tcp 203.103.236.215 0.0.0.0/0 * -> 21
deny tcp 203.103.236.215 0.0.0.0/0 * -> 119
deny tcp 203.103.236.16 0.0.0.0/0 * -> 0:6000
deny tcp 203.103.236.16 0.0.0.0/0 * -> 7001:65535
system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade
as you can see there are no rules to deny incoming actions. But I actually want to deny incoming actions to the PC that is running ipfwadm! so how can I firewall this machine?
IP firewall output rules, default policy: accept
IP firewall forward rules, default policy: accept
type prot source destination ports
deny tcp 203.103.144.0/24 0.0.0.0/0 * -> 80
deny tcp 203.103.236.0/24 0.0.0.0/0 * -> 80
deny tcp 203.103.144.0/24 0.0.0.0/0 * -> 8080
deny tcp 203.103.236.0/24 0.0.0.0/0 * -> 8080
deny tcp 203.103.236.16 0.0.0.0/0 * -> 21
deny tcp 203.103.236.16 0.0.0.0/0 * -> 119
deny tcp 203.103.236.28 0.0.0.0/0 * -> 21
deny tcp 203.103.236.28 0.0.0.0/0 * -> 119
deny tcp 203.103.236.215 0.0.0.0/0 * -> 21
deny tcp 203.103.236.215 0.0.0.0/0 * -> 119
deny tcp 203.103.236.16 0.0.0.0/0 * -> 0:6000
deny tcp 203.103.236.16 0.0.0.0/0 * -> 7001:65535
system:~# ipfwadm -n -l -M
ipfwadm: cannot open file /proc/net/ip_masquerade
as you can see there are no rules to deny incoming actions. But I actually want to deny incoming actions to the PC that is running ipfwadm! so how can I firewall this machine?
just an example, there are much more in the man-pages ;-)
ipfwadm -a accept -I -P all -S badhost -D securehost 513
ipfwadm -a deny -I -P all -S 0/0 -D securehost
ipfwadm -a accept -I -P all -S badhost -D securehost 513
ipfwadm -a deny -I -P all -S 0/0 -D securehost
ASKER
but if 'securehost' is the LOCAL host? that won't work will it ?
Yes, it won't, if securehost is the gateway itself.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
You must protect the gateway on service/protocol level, for example in /etc/inetd.conf, /etc/hosts.{allow,deny} etc.
ASKER
the gateway is running a server on some ports I'd like to block to the outside world, but they are not inetd orientated. nor do they support internally firewalling / allow or deny IPs.
so is there anyway to block access?
also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
so is there anyway to block access?
also, off topic, you have answered a number of my questions in the past, I have a few atm i'd LOVE answered in this area, networking-linux and linux-setup
you may try following in /etc/inetd.conf for you ports:
yourport stream tcp nowait root /usr/sbin/tcpd yourserver
Please check man inetd.conf and man tcpd.
Off topic, put'em there, there are so much experts here :-))
yourport stream tcp nowait root /usr/sbin/tcpd yourserver
Please check man inetd.conf and man tcpd.
Off topic, put'em there, there are so much experts here :-))
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
$0.0 :-))