[1011] in linux-net channel archive
Re: IPFW Docs needed
daemon@ATHENA.MIT.EDU (Al Longyear)
Tue Aug 29 15:11:05 1995
From: longyear@netcom.com (Al Longyear)
To: clameter@waterf.org (Christoph Lameter)
Date: Mon, 28 Aug 1995 19:57:16 -0700 (PDT)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <41qnm5$giu@waterf.org> from "Christoph Lameter" at Aug 27, 95 02:22:13 pm
Christoph Lameter wrote:
>
> I have seen the newest net-3 stuf. It is coming with a configurable
> Firewall which can be configured through ipfw. But the docs are scarce
> and from looking at the source code I know they are incorrect.
I realize that. It took me a few days of trying to read the man page
and decode the meanings. (It is almost as bad as the pppd man page. :))
> Specifically I need the following answers:
>
> 1. What does the ipfw p <policy> statement exactly do and what is
> the benefit?
The 'p' policy defines what is to be assumed as the default action
unless it is overriden by a specific rule. It may be set to accept,
deny, or reject as well as logging actions.
> 2. What is the iface option mean? It is a third IP address but why
> would this be mentioned in the conditions for routing packets?
It is the IP address of the interface for which the rule applies. If
you have only one interface then it is not needed.
If you have two interfaces then it is desirable to control rules such
that it applies to the specific interface. For example, the rule may
apply only to the 'red' (external) network. This makes life easier
when multiple addresses apply to the interface.
For example, sii.com has registered IP domains at 155.190 and
192.112.246. They are both 'us'. The cisco router is programmed to
deliver frames for either network to our firewall as its 'gateway'
address. They will both arrive at the same interface, so the rules
don't specify the destination IP address. They specify the interface
address as the key.
(I don't want to go into _why_ we have two IP domains. It is a long
story and not really applicable here.)
The other thing which took me a while to decipher was that the
'blocking' firewall rules applied to all frames received by the
system. This included frames which were to be forwarded to the 'green'
(internal) network as well as frames for the firewall system.
The 'forwarding' firewall applied its rules only when it was going to
forward the frame. As such, it did not apply to the firewall.
So, use the 'blocking' firewall rules if you wish to totally deny this
frame from entering your firewall or the green network.
Use the 'forwarding' firewall rules to specify only the frames which
are safe for the green network.
Regrettably, we consider our rules as 'secret' since they define our
firewall. I can not give you our rules as 'examples'. However, if you
wish some help, I may be able to offer general guidance.
A good resource for packet filters is the Cheswick and Bellovin book.
--
Al Longyear longyear@netcom.com
Finger for PGP key
