Re: Statefull??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


|>Antony Stone wrote:

|
| I suggest you add a rule allowing ESTABLISHED,RELATED (but not NEW)
packets
| from the DMZ to EXT.   That will allow replies but no new connections.
|
| However, I also suggest you think very carefully about not allowing NEW
| connections from your web server to the outside world - specifically in
| relation to DNS - are you sure the web server itself never needs to do
| external lookups (perhaps for visitor logs etc)?   So long as this is
true,
| you'll be okay, but I think you should keep an eye on your netfilter log
| entries to see if the web server is trying to make some external
connections
| which you actually decide you want to allow.
|
| Regards,
|
| Antony.
|
already did that and it's work.. thanks.. but somehow i would like to
allow my web for updating security patches from xxxx server, but the fw
have rejected the req.


here is my rules:-

$ipt -A SCAN -i $EXT -o $DMZ -p tcp -m tcp -s 0/0 -d $WEB --dport 80 -j
LOG --log-level info --log-prefix "[IN WEB] :"
$ipt -A SCAN -i $EXT -o $DMZ -p tcp -m tcp -s 0/0 -d $WEB --dport 80 -j
ACCEPT

$ipt -A SCAN -i $EXT -m state --state ESTABLISHED,RELATED -j LOG
- --log-prefix "Established conn: "
$ipt -A SCAN -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A SCAN -i $EXT -o $DMZ  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK
SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN: "
$ipt -A SCAN -i $EXT -o $DMZ  -p tcp -m tcp ! --tcp-flags SYN,RST,ACK
SYN -m state --state NEW -j DROP


$ipt -A FORWARD -i $DMZ -p tcp -m state --state NEW -s $WEB -d xxxx
- --dport 80 -j LOG --log-level info --log-prefix "OUT DNS :"
$ipt -A FORWARD -i $DMZ -p tcp -m state --state NEW -s $WEB -d xxxx
- --dport 80 -j ACCEPT
$ipt -A FORWARD -i $DMZ -o $EXT -p tcp -m tcp -m state --state NEW -j
LOG --log-level info --log-prefix "[Init DMZ] "
$ipt -A FORWARD -i $DMZ -o $EXT -p tcp -m tcp -m state --state NEW  -j
REJECT



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAcRBInnQOtAme0WcRAmcmAJ984xfpZiOX0icdK3/vwWn9boVZRgCeKeiX
znZp8xcWxMoN+XDYh9LZ5u0=
=1Lj9
-----END PGP SIGNATURE-----

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux