Re: Firewalling and MASQ

Matthew Vanecek (
Thu, 09 Dec 1999 20:48:17 -0600

"Stephen L. Favor" wrote:
> Eric Kluft wrote:
> > You'll agree with me that it's extremely hard to attack a client behind a
> > masqing server. Extra deny policies or programs are really unnecessary.
> I completely agree. If you'll read my posting again carefully, you will find
> that I am concerned with packets which are associated with the host that is
> performing MASQ for the internal network. Right now, I have to leave the
> MASQ port interval open so that it will work and there is no way to detect if
> an inbound or outbound packet is to/from the router or a MASQed host as they
> have the same IP. Thus, I cannot do:
> ipchains -A output -j DENY -p tcp -y -s <router ip>
> to block connects from the router as it will also block connects from MASQed
> hosts.

It sounds to me, just for clarification's sake, like you don't want your
router to talk to the outside world. That is, your router should not be
able to talk to any other computer outside of your network. Except, if
you internal network wants to connect to the external network, in which
case it would really be an internal machine talking to the world, and
not your router (conceptually speaking, anyhow). Is that a fair
assessment of you problem?

Have you tried the above chain (just for shits-n-grins, y'know)?
The question arises, why would you not want your router to talk to the
outside world (if, indeed, I understand your question correctly)? I'm
not real sure that there is any way to accomplish that. Or am I
misunderstanding what you want to do?

Matthew Vanecek
Course of Study:
Visit my Website at
For answers type: perl -e 'print
For 93 million miles, there is nothing between the sun and my shadow
except me. I'm always getting in the way of something...
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to