[2051] in linux-security and linux-alert archive
[linux-security] Re: IP Filters and Masq: last questions
daemon@ATHENA.MIT.EDU (Glynn Clements)
Fri Aug 14 09:43:08 1998
From: Glynn Clements <glynn@sensei.co.uk>
Date: Thu, 13 Aug 1998 17:22:10 +0100 (BST)
To: Mailing Lists <mlist@almerco.ca>
Cc: linux-security@redhat.com
In-Reply-To: <199808121909.PAA24949@cardinal.almerco.ca>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
Mailing Lists wrote:
> I have some last questions about IP and Masq.
>
> This is the network configuration I have now:
>
> |INTERNET|---|CISCO|---<DMZ>---|FIREWALL, IP+MASQ|---|INTERNAL NET|
>
> The firewall is a minimal RH51 that only accepts SSH connections from
> selected hosts and has no redir software.
>
> >From the comments I've been reveiving, I know that tcp connections are
> secured. What about udp, icmp, ipx/spx or any other I don't know about?
> Are the blocked to or they pass thru?
It depends upon how the firewall is configured. If your only
forwarding rule is one which masquerades packets coming from the
internal network, then you're safe; nothing else will be forwarded.
E.g. if you have:
ipfwadm -Fp reject
ipfwadm -Fma accept -S x.x.x.x/x
where x.x.x.x/x is the internal network, then packets from the
internal network will be forwarded and masqueraded, any replies (or
related ICMP errors) will be demasqueraded and forwarded, and anything
else will be rejected.
This assumes that you also have something like:
ipfwadm -Ia accept -S x.x.x.x/x -W eth0
ipfwadm -Ia reject -S x.x.x.x/x
to prevent IP spoofing (assuming that eth0 is connected to the
internal network). You can't do this in the forwarding rules as -W/-V
in forwarding rules refers to the destination interface.
Note that the kernel's IP forwarding only applies to IP. It won't
forward non-IP packets (e.g. IPX, AppleTalk, ...).
> If they pass, what measures do I have to filter or block them?
Just ensure that your default forwarding policy is reject or deny, and
only forward the traffic that you want to. With masquerading, you
don't need to explicitly forward any inbound packets.
--
Glynn Clements <glynn@sensei.co.uk>
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null