RE: Firewalling and MASQ

DEMERRE DIETER (EXT.Dieter.Demerre@siemens.be)
Fri, 10 Dec 1999 08:03:28 +0100


-----BEGIN PGP SIGNED MESSAGE-----

"Matthew Vanecek" <mailto:mev0003@unt.edu> wrote:
>
> "Stephen L. Favor" wrote:
> >
> > performing MASQ for the internal network. Right now, I
> have to leave the
> > MASQ port interval open so that it will work and there is
> no way to detect if
> > an inbound or outbound packet is to/from the router or a
> MASQed host as they
> > have the same IP. Thus, I cannot do:
> >
> > ipchains -A output -j DENY -p tcp -y -s <router ip>
> >
> > to block connects from the router as it will also block
> connects from MASQed
> > hosts.
...
> Have you tried the above chain (just for shits-n-grins, y'know)?
> The question arises, why would you not want your router to talk to
> the outside world (if, indeed, I understand your question
> correctly)? I'm not real sure that there is any way to accomplish
> that. Or am I misunderstanding what you want to do?

I don't think that such a silly thing to do. I configured a gateway
pretty much like that. (Almost) no daemons on the gateway and only
out-going connections masqueraded from the inside.
Since I encountered the same problem like Stephen, I disabled
access to the ports that could be open for an attack:

ipchains -A input -y -p tcp -i ippp<n> -s 0.0.0.0/0 \
-d 0.0.0.0/0 0:1024 -j DENY

Merry Greetings from - Z'ge Groetjes vanwege
*** Dieter Demerre ----- ddemerre@acm.org **
http://www.angelfire.com/de/ddemerre/
********************************************
Wanna get rid of idle Processor cycles ?
distributed.net ? Try synchronising outlook.
********************************************
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 5.5.3i for non-commercial use
<http://www.pgpi.com>

mQBtAzeukQgAAAEDAJm3R+K479I6pBiG7YlNlKJt5NAZpS/Mf/dGRb1G9HBHsqTn
rvtn8CQMzEg4SFpBk6vtMHkWdfzdBY7X9hU6YEH/W8agQfK4Np7UBESEotxlLBDK
Tzre+UqJoW8UjdOB6QAFEbQhRGlldGVyIERlbWVycmUgPGRkZW1lcnJlQGFjbS5v
cmc+iQB1AwUQN66RCImhbxSN04HpAQFCtQL7BMdP9Seq9hWzy0nCtDbSVYVxkwct
rsPPLDlGDi5lLpJNp7NGEqRodMqwjboIPZ/M5ErYSsjX8BdagTju9VDZAqSgCYUD
WsjJvOQOObphLHaqco3lzZxhp/r0wZ9+pG5fiQBGBBARAgAGBQI3rpE6AAoJEMH9
jFHXbCESRB0AoKzjx1wc/HxR+QGkYLqMsXLUCNuhAJ0aqzsjHaWsICsRH8cmnUDG
JXG8qA==
=M7Be
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

iQB1AwUBOFCXm4mhbxSN04HpAQGEqAL/cVwibm5xrFobXmrTtwibvqjFePMV/l3a
AvDSK72CF/D0NcsiZARIHHSDS3E9+ne/GnHy6/TR1q9Fa6nZ+mw8FsrtScmEuDU1
sVRQxwHPWwtC0Xk/ojlGmGJjvMsdKjEm
=6j8+
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu