fiaif questions

Anders Fugmann email hidden
Thu Mar 13 23:38:52 CET 2003


Craig Reeson wrote:
> Anders/list
> 
> just wanted to check a few things
> 
> first, are my rules ok? (see attachments)

I assume that you forgot the redirect rule:
REDIRECT_WEB="tcp 443 0.0.0.0/0=>210.50.54.142/32 192.168.10.20:443"
If this is true, then you should delete the first INPUT rule, as packets 
for these ports are redirected, and no packets should ever be matched by 
this rule.

Also I think (I cannot remember excatly) that you do not need to open 
for ftp-data connections, as the ftp_conntrack modules should take care 
of this. (Try deleting the redirect rule for port 20 and dont accept it 
in the forward rules for zone.int)

I guess that you want a very tight dmz. If this is true, you should try 
and restrict access from the DMZ to the EXT zone, by changing the 
FORWARD rules in zone.ext. This way if a hacker ever gets through to any 
servers in the dmz, they cannot use them to abuse the internet. Of 
cource it all depends on what the servers in the DMZ needs in terms of 
internet access in order to function correctly.

Something like:
FORWARD[0]="INT ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
FORWARD[1]="DMZ ACCEPT TCP domain 0.0.0.0/0=>DOMAIN_SERVERS"
FORWARD[2]="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"

And put
DOMAIN_SERVER=1.2.3.4 3.4.5.6
in /etc/fiaif/aliases

Assuming that all the servers needs in the dmz it to be allowed to make 
DNS lookups on 'DOMAIN_SERVERS'

Othervice the rules looks good.

A general note on the setup.
It seems that you have lots of servers, and I would recommend not to do 
any redirection to your internal zone if possible. This would minimize 
the possibility of unauthorized access to the internal network. Services 
such as ftp are considered dangerous and should be placed on servers in 
the DMZ.

I see that your firewall also have a squid proxy running on it.
If all was perfect, you would add anoter NIC and zone for services 
available to machines in the internal zone, such as proxy, dns servers 
etc. Then you could close off the firewall and only allow ssh to the 
firewall box. But thats secondary and only adds minor extra security.

> 
> Second, I'm trying to get a pptp connection happening to one of the servers
> in the dmz. Fiaif is dropping the packets:
You may want to add pptp protocol support to netfilter using 
"patch-o-matic". See 
http://www.netfilter.org/documentation/pomlist/pom-extra.html
(scroll down to pptp support.)

> [FIAIF_DROP]:IN=eth0 OUT=eth2 SRC=203.51.165.243 DST=210.50.54.226 LEN=57
> TOS=0x00 PREC=0x00 TTL=113 ID=41658 PROTO=47
> 
> How do I enable access for proto 47?
specify the protocol as '47' and do not add any port specification.
Example:
FORWARD[n]="EXT ACCEPT 47 203.51.165.243/32=>210.50.54.226/32"


> 
> Regards,
> 
> Craig Reeson  RHCE
> Senior Engineer
> Bluechip Infotech
> Ph. (02) 8745 8465
> Mob. 0413 018602
> 
> (See attached file: zone.dmz)(See attached file: zone.ext)(See attached
> file: zone.int)
> 

Regards
Anders Fugmann

P.s. Please do not add a disclamer when sending to this list, as any 
reader of the fiaif mailing list (or archives) are the "entity intended" 
of you message.







More information about the fiaif mailing list