Re: [masq] ipfawdm help

David A. Ranch Wed, 9 Sep 1998 14:40:07 -0400

>ipfwadm -I -i deny -P tcp -S 24.48.0/0/0/0 0 -D localhost 0 -e -v
>ipfwadm -I -i deny -P udp -S 24.48.0/0/0/0 0 -D localhost 0 -e -v

Your syntax is wrong.  Also, understnad that you must NOT filter
out your own IP subnet.  Since you are on the 24.x.x.x Class-A, 
you are with TCI.net and/or @Home.  Do you get a static IP
or an IP via DHCP?

Regardless, if any of the cablemodem's news, mail, etc servers
are in this 24.48.x.x subnet, communications for NNTP, mail, 
etc will NOT get to you.

Anyway, try this:

NOTES:

        1) Removing the -P tcp and -P udp is fine.  Without 
                specifically mentioning them, TCP, UDP, and
                ICMP should be DENIED!


        2) I'm assuming that eth0 is the ethernet card to
           the cablemodem

        3) I always recommend to REJECT traffic.  This makes your
           machine look as if its not ABLE to do TELNET, FTP, etc.
           Ie.  try telneting to a windows95/NT machine.  Then
                 try telneting to a Linux box that denies that traffic.
                 they react different.

--<begin>--

extnic='/sbin/ifconfig | grep -A 4 eth0 | awk '/inet/ { print $2 } ' | sed -e
s/addr://'

ipfwadm -I -i reject -S 24.48.0.0/16 -D $extnic/32 -o

--<end>--


>What would the proper syntax be for ipfwadm for thi?  I basically want
>to block everything, so my ISP can see my cable modem, and nothing else
>beyond it. (my cable modem goes to the linux box)

To be honest Phil, you should be a LOT more anal retentive than
this.  I personally only allow a FEW IPs into my Cablemodem attached
Linux box for TELNET, FTP, etc.  Then, beyond SMTP and DNS, I REJECT 
all other traffic.  If you would like to see my firewall ruleset, 
lemmie know.  I've posted about 5 times to the list in the last week
or so.

I will post all these changes to my TrinityOS doc but I've been too
busy.

--David
.----------------------------------------------------------------------------.
|  David A. Ranch - Remote Access/Linux/PC hardware      [EMAIL PROTECTED]  |
!----                                                                    ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] ipfawdm help

Reply via email to
