At 02:11 PM 10/29/98 +0100, you wrote:
>Hello,
>
>I've a general question to ask about masquerading. I've read all the
>FAQs & HOWTOs, and I found all technical documentation about
>masquerading & firewalling, and I'm ready now to put it in my Linux box.
>
>But there is still one question:
>
>For now, If I just want to do firewalling, I only have to set it with
>ipfwadm -I and -O. In every scripts that I read about masquerading,
>there were always such orders:
>
>ipfwadm -I ... # fix-up input
>ipfwadm -O... # fix-up output
>
>and then in addition,
>ipfwadm -F ... # fix-up forwarding (and thus masquerading with -m )
>
>But, is it necessary to use the two kinds of commands (-I & -O) before
>performing masquerading rules (-F -m) ? are not the masquerading rules
>consistents by themselves ? why ?
-I is rules for what packets can come into the linux box - that is, the -I
rules are matched against packets as soon as the come in an interface. This
is useful for rejecting packets that are forged (that come from the wrong
network) or to keep people out of the linux box itself.
-O rules are matched against packets just before they go to a physical
interface for transmission. This is useful in order to make sure that the
linux box doesn't accidentally send out packets where they don't belong.
Usually you won't use many of these.
-F rules determine which packets are forwarded. That is, which packets will
this box resend for someone else. This is also where masqerading is
configured, because it allows you to decide what to masqerade. For
instance, if you have 3 network connections, one to the internet, and two
to seperate internal networks, you would masqerade connections to the
internet, but not connections between internal networks.
>However, if I have a POP3 server located somewhere in my inside network,
>will it still work with IP masquerade ? I guess I mustn't masquerade it
>in this case. Please confirm.
Well, if you want to access it from outside your network, you'll need to
use ipportfw or something similar, and, yes, you will masqerade connections
from the outside world comming in to that port. The outside world will
attempt to use the pop port on the router, which will masqerade and
re-direct that connection to the internal machine.
>Thank you for helping,
>
>
> Eric :)
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
>
Michael Kohne
[EMAIL PROTECTED]
"Evolution is God's version of domino rally"
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
