Hello again,
Marc Cassuto wrote:
> So does that mean I have to write -I rules AND -O rules
> for BOTH NIC ???
It means you can write input, output and forward rules. You don't have to
write them all. If you do depends on the level of security you need.
The default policy (on a clean boot) is accept for all three rules. I
always explicitly create the default policy for safety in my rule sets to
make sure that what I think will happen does.
Many people only write input (stop bad stuff from coming into your system)
and forward rules (making the assumption that what you're sending out is
safe).
You generally only need to write specific rules for an interface that
connects to the outside. It is always safest to default to deny or reject
for interfaces that connect to outside traffic. The internal NIC can
default to being open if your machine is the only machine that connects to
the outside. If more than one machine connects to the outside then you
should write rules for both NICs.
> From Lourdes A. Jones 's Email:
>
> He help me lot to clarify this previous mechanism.
Thank you, for future reference I am a she. :)
> So you mean Forward rules are Leaded by the Output ones ?
Yes, see below for more explanation.
> Can you explicit the way the -F work ?
Forward rules apply to packets that begin and end outside your machine.
They specify what can pass through your machine.
> Can I have the same Forwarded behavior with
> the rules -I & -O ?
If you want to replace forward with input and output the answer is no.
Input rules say what comes into your machine, output rules say what leaves
your machine, forward rules say what goes through your machine after it has
already gone through the input and output rules. It's an additional step.
> >From the french Firewall-HOWTO translated by B. Choppy.
> This rule would allow web connection to external Web server.
Thank you, I haven't read it, my French does not exist. Just Spanish and
English. But the rule is backwards if that was the intent.
> I start to be very confused : when do I know
> a packet has to be forwarded ?
When it begins and ends on a different machine than the one that you are
setting up the rules for.
Just to clarify:
I'm assuming you are setting up rules for a firewall machine
+---------+ +----------+ +------------------+
| outside |-----| firewall |-----| internal network |
+---------+ +----------+ +------------------+
Rules for outside to firewall are input.
Rules for internal network to firewall are input.
Rules for firewall to outside are output.
Rules for firewall to internal network are output.
Rules for outside to internal network are input, output and forward.
Rules for internal network to outside are input, output and forward.
Forward rules just say if it is ok to send traffic from one side of the
firewall to the other (traffic does or does not stop at this machine). You
have input and output rules in addition to forward rules because the packet
has to go in and out of the firewall machine before it can get to the other
side.
> Have a nice week-end (in cairo it's friday and saturday!)
You too,
Lourdes
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
