Re: Firewalling and MASQ

Stephen L. Favor (sfavor@rsn.hp.com)
Thu, 09 Dec 1999 13:34:26 -0600


Glynn Clements wrote:

> Stephen L. Favor wrote:
>
> > I would like to configure a box to forward only TCP and
> > UDP packets associated with a MASQ session and I can't quite
> > figure out a way to do it. I can open 61000:65096 to the world
> > and MASQ works fine, but I would prefer only let the ports with
> > active sessions through the firewall. Can anyone tell me how to
> > do this?
>
> Replies to masqueraded packets pass the forwarding chain
> automatically, so you can just configure the forwarding chain to
> reject all inbound packets.

Interesting but (unless I'm missing something) I need to block these
with the input filter. At that point, packets bound for the router
host and packets bound for MASQ-forwared hosts have the same IP. If
I let them pass so they will deMASQ, I also let potentially malicious
packets bound for the local host in. These hit the "Routing
Decision" phase and go right to a local process. What I really need
is for there to be another FW chain consulted for local packets after
deMASQ.

The only way I've figured out to do this is to write a deamon that
uses the netlink device and a user program to add an entry in the
FW to allow packets on a per-port basis every time it sees a connect
request pass the MASQ forward rule and remove the entry whenever the
disconnect occurs or it no longer appears in /proc/.../*_masq.

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu