RE: Ruleset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once again, thanks Anthony

Correcting my mistakes right now

Kind Regards
Brent Clark

-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Antony Stone
Sent: Tuesday, August 10, 2004 10:45 AM
To: iptables
Subject: Re: Ruleset


On Tuesday 10 August 2004 9:27 am, Antony Stone wrote:

> On Tuesday 10 August 2004 8:22 am, Brent Clark wrote:
> > Hi all
> >
> > If possible would someone be so kind as to have a look at my ruleset and
> > if possible, share some pointers.  I have another linux box (Ip address
> > 192.168.3.3, connected to eth1 on the FW)  I have a lan (192.168.2.0/24)
> > connected to eth0 For my internet handling I have a ppp connection.  Im
> > also currently toying with dyndns (ez-ipupdate).
>
> 4. Do you *really* want to allow *all* NEW packets from the Internet to
the
> DMZ, no matter what protocol they are?   You might as well simply stick
> your 192.168.3.3 machine on a public IP address with no firewall....

The above comment is not quite accurate - you are, of course, only DNATting
packets to TCP port 80, therefore only HTTP should get through to the DMZ,
however I would still recommend narrowing down the FORWARD rule just to make
it obvious that's what's happening when you look at the filter rules, rather
than having to refer to the nat rules to figure out what traffic is being
allowed.

In other words, make the ruleset slightly more obvious, so you don't make
the
same mistake I did, when you come to read the ruleset in 3 months' time :)

Regards,

Antony.

--
People who use Microsoft software should be certified.

                                                     Please reply to the
list;
                                                           please don't CC
me.





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux