Firewall config.

[tvlad]

After getting white hair, i managed to modify the ip-masq howto to fit my own needs.I'm thinking of also blocking some ports from the inside, like the ones for kazaa, winmx........, because i don't want one guy to eat the bandwith of all.

 

What other ports should i block from the inside ????

 

From the outside there is no problem, because the fw is a stateful one and plus, i blocked all icmp, tcp, udp input for the ext interface.

[MottS]

I presume the server has 2 network interface and you run MDK 9.0.

 

I don't now what you mean by 'modify the ip-masq' but it would have been really easy using ShoreWall, the default firewall on MDK 9. By default all the requests from the web to your lan/masq are blocked. To block all the request from your lan/masq to the net you could put the following in /etc/shorewall/policy

 

fw	net	DROP

loc	net	DROP

masq	net	DROP

 

Now, to allow your lan to surf the web (if you want them to) just put the following in /etc/shorewall/rules

 

ACCEPT  fw	net	tcp	80	-

ACCEPT  loc	net	tcp	80	-

ACCEPT  masq	net	tcp	80	-

 

If you want to allow only 1 of them then put masq:ip in /etc/shorewall/rules instead of just masq. Like that

 

ACCEPT  masq:192.168.1.100	net	tcp	80	-

 

Now restart shorewall by typing 'service shorewall restart'

 

Hope that help

 

MOttS

[tvlad]

by "modify the ip masq howto" i mean that i took their firewall config from chapter 6.4 as a starting point and adapted it to my needs.

 

masq=masquerade

[Michel]

I understand that you don't want one person to have all the bandwith, but if you also want to allow other connections than tcp, there is a very good websites that tells you wich program uses wich ports and protocols and if they are outgoing or incoming(You could also check the log of shorewall)

(For example:Kazaa(I think), msn, .....) I hope you only block what is needed. Some things are just pleasant.

Here is the link:

 

http://www.pcflank.com/

[MottS]

by "modify the ip masq howto" i mean that i took their firewall config from chapter 6.4 as a starting point and adapted it to my needs.

 

masq=masquerade

 

I knew that masq=masquerade man..

 

And you took their firewall config --> what are you talking about ? From which website, for which firewall .. ???????

 

I still don't know what you did, which os you are using, firewall brand/version ...

 

Check /etc/services for a list of ports to block/accept if you only need that info. Once you are done check you security with that:

 

http://www.google.ca/search?hl=en&lr=&ie=U...ty+test&spell=1

 

MOttS

[MottS]

If you would be using Shorewall, the question would not be

 

What other ports should i block from the inside ???? 

 

but 'Which ports should I let my users to access' .. which is easier to answer.

 

MOttS

[tvlad]

And you took their firewall config --> what are you talking about ? From which website, for which firewall .. ???????

 

 

From here :

http://www.tldp.org/HOWTO/IP-Masquerade-HO...-2.4.X-STRONGER

 

I knew about pcflank, it's not that good.

 

'Which ports should I let my users to access' .. which is easier to answer.

This is the question i should have asked, it makes much more sense.

 

The "server" is a P200 mmx, 32mb , 1mb S3 running Mdk 9.And i am not running shorewall, or firestarter, or smth similar.