OK, I have been getting closer, but there are problems.
Some problems: After I rebooted to make sure all was starting correctly on
bootup, my hard drive access light never went off, it stayed on until I
disabled my script that enabled my ipfw rules.
Which leads me to the other problem. it doesnt work. I am using the script
in the ip_masquerading how to (section 4.4 of the how to?), although I have
modified it somewhat. Here it is:
#!/bin/sh
#
# /etc/rc.d/rc.firewall, define firewall config,
# invoked from rc.local
#
# testing, wait a bit longer then clear all firewall rules
# uncomment following lines if you want to firewall to
# automatically disable after 10 minutes
# (sleep 600;\
# ipfwadm -T -f;\
# ipfwadm -I -p accept;\
# ipfwadm -O -f;\
# ipfwadm -O -p accept;\
# ipfwadm -F -f;\
# ipfwadm -F -p accept;\
# ) &
# incoming, flush and set default policy of deny, which is useless
# because of the catch-all with deny and log
ipfwadm -I -f
ipfwadm -I -p deny
# local intreface, local machines, going anywhere is valid
ipfwadm -I -a accept -V 192.168.60.69 -S 192.168.0.0/16 -D 0.0.0.0/0
# remote inteface, claiming to be local machines is invalid, deny
ipfwadm -I -a deny -W eth0 -S 0.0.0.0/0
# remote interface, any source, going to roadrunner IP is fine
ipfwadm -I -a accept -W eth0 -S 0.0.0.0/0 -D my.static.ip.addy/32
# loopback device is valid
ipfwadm -I -a accept 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# here's the catch all, all other incoming i7.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# here's the catch-all rule, all other is denied and logged
ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
# forwarding, flush and set all to dny, which is useless
# because of the catch-all
ipfwadm -F -f
ipfwadm -F -p deny
# Masquerade from local net on local interace to anywhere
ipfwadm -F -a masquerade -W tcp -S 192.168.0.0/16 -D 0.0.0.0/0
# here's the catch-all rule, all others denied and logged
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
The loopback line that is commented out is that way because it gave me errors
(I think it was invalid argument). The only change was my IP (my own little
paranoia).
FYI, the linux box can telnet, ftp, use www etc, and can ping the local
machines (and they can ping the linux boc), but they cant see the outside
world. Also both NICs are being started prior to this file being executed
(shouldnt make a difference though right?).
Just in case, I am using RH5.0, with 2.0.36 kernel, and the ipfwadm that
came in RH5.0 (sorry, dont know the version)
Please keep in mind that I am not entirely new to the unix world, but have
only been doing admin stuff for a few weeks, and masq if dairly new to me
altogether.
Any input/advice will be GREATLY appreciated.
Thanks in advance.
--
Ben Snyder
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
