Thu Mar 13 23:38:52 CET 2003
Craig Reeson wrote:
> just wanted to check a few things
> first, are my rules ok? (see attachments)
I assume that you forgot the redirect rule:
REDIRECT_WEB="tcp 443 0.0.0.0/0=>188.8.131.52/32 192.168.10.20:443"
If this is true, then you should delete the first INPUT rule, as packets
for these ports are redirected, and no packets should ever be matched by
Also I think (I cannot remember excatly) that you do not need to open
for ftp-data connections, as the ftp_conntrack modules should take care
of this. (Try deleting the redirect rule for port 20 and dont accept it
in the forward rules for zone.int)
I guess that you want a very tight dmz. If this is true, you should try
and restrict access from the DMZ to the EXT zone, by changing the
FORWARD rules in zone.ext. This way if a hacker ever gets through to any
servers in the dmz, they cannot use them to abuse the internet. Of
cource it all depends on what the servers in the DMZ needs in terms of
internet access in order to function correctly.
FORWARD="INT ACCEPT ALL 0.0.0.0/0=>0.0.0.0/0"
FORWARD="DMZ ACCEPT TCP domain 0.0.0.0/0=>DOMAIN_SERVERS"
FORWARD="ALL DROP ALL 0.0.0.0/0=>0.0.0.0/0"
Assuming that all the servers needs in the dmz it to be allowed to make
DNS lookups on 'DOMAIN_SERVERS'
Othervice the rules looks good.
A general note on the setup.
It seems that you have lots of servers, and I would recommend not to do
any redirection to your internal zone if possible. This would minimize
the possibility of unauthorized access to the internal network. Services
such as ftp are considered dangerous and should be placed on servers in
I see that your firewall also have a squid proxy running on it.
If all was perfect, you would add anoter NIC and zone for services
available to machines in the internal zone, such as proxy, dns servers
etc. Then you could close off the firewall and only allow ssh to the
firewall box. But thats secondary and only adds minor extra security.
> Second, I'm trying to get a pptp connection happening to one of the servers
> in the dmz. Fiaif is dropping the packets:
You may want to add pptp protocol support to netfilter using
(scroll down to pptp support.)
> [FIAIF_DROP]:IN=eth0 OUT=eth2 SRC=184.108.40.206 DST=220.127.116.11 LEN=57
> TOS=0x00 PREC=0x00 TTL=113 ID=41658 PROTO=47
> How do I enable access for proto 47?
specify the protocol as '47' and do not add any port specification.
FORWARD[n]="EXT ACCEPT 47 18.104.22.168/32=>22.214.171.124/32"
> Craig Reeson RHCE
> Senior Engineer
> Bluechip Infotech
> Ph. (02) 8745 8465
> Mob. 0413 018602
> (See attached file: zone.dmz)(See attached file: zone.ext)(See attached
> file: zone.int)
P.s. Please do not add a disclamer when sending to this list, as any
reader of the fiaif mailing list (or archives) are the "entity intended"
of you message.
More information about the fiaif