[1573] in linux-net channel archive
Blocking firewall
daemon@ATHENA.MIT.EDU (Matthias Urlichs)
Tue Jan 2 02:35:47 1996
From: smurf@smurf.noris.de (Matthias Urlichs)
To: linux-net@vger.rutgers.edu
Date: Mon, 1 Jan 1996 22:08:43 +0100 (MET)
Hi,
is there a reason why the "blocking" packet filter blocks both local an=
d
remote packets?
I'm trying to set up a local firewall between our "internal" and "exter=
nal"
networks. I'd like to pass a wide range of services to the "internal"
network, but accept almost nothing from the outside on the gateway itse=
lf.
For instance, I'd like to set up a rule that allows me to login to the
gateway from the internal network, and to login from outside to an inte=
rnal
machine, but not to login directly from outside to the gateway.
Since the gateway has many interfaces, the way things currently work fo=
rces
me to add a blocking rule for every address the gateway has, for every
service I'd like to control this way. That's a lot of rules. It'd be mu=
ch
easier (not to mention faster for the IP forwarder) if I could just use
"any destination" as the local address in my blocking rules, but that w=
orks
only if non-local packets don't get processed by the blocking firewall.
I _think_ that the following patch would allow me to do that... maybe a
config option which selects between the two would be a good idea...
--- ./net/ipv4/ip_input.c Thu Dec 28 05:12:47 1995
+++ /tmp/ipfn Thu Dec 28 07:45:28 1995
@@ -284,22 +284,6 @@
#endif
=20
/*
- * See if the firewall wants to dispose of the packet.=20
- */
-
-#ifdef CONFIG_FIREWALL
-=09
- if ((err=3Dcall_in_firewall(PF_INET, skb, iph))<FW_ACCEPT)
- {
- if(err=3D=3DFW_REJECT)
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev);
- kfree_skb(skb, FREE_WRITE);
- return 0;=09
- }
-
-#endif
-=09
- /*
* Remember if the frame is fragmented.
*/
=20
@@ -329,6 +313,22 @@
=20
if ( iph->daddr =3D=3D skb->dev->pa_addr || (brd =3D ip_chk_addr(iph-=
>daddr)) !=3D 0)
{
+ /*
+ * See if the firewall wants to dispose of the packet.=20
+ */
+
+#ifdef CONFIG_FIREWALL
+=09
+ if ((err=3Dcall_in_firewall(PF_INET, skb, iph))<FW_ACCEPT)
+ {
+ if(err=3D=3DFW_REJECT)
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0, dev);
+ kfree_skb(skb, FREE_WRITE);
+ return 0;=09
+ }
+
+#endif
+=09
if (opt && opt->srr)=20
{
int srrspace, srrptr;
--=20
The good things of prosperity are to be wished; but the good things tha=
t
belong to adversity are to be admired.
-- Seneca
--=20
Matthias Urlichs \ XLink-POP N=FCrnberg | EMail: urlichs@smurf.=
noris.de
Schleiermacherstra=DFe 12 \ Unix+Linux+Mac | Phone: ...please use =
email.
90491 N=FCrnberg (Germany) \ Consulting+Networking+Programming+etc'i=
ng 42
PGP: 1B 89 E2 1C 43 EA 80 44 15 D2 29 CF C6 C7 E0 DE=20
Click <A HREF=3D"http://smurf.noris.de/~smurf/finger">here</A>.
