Jack Byers wrote:
> Gordon:
> I have to say I am still not clear on how to use your variables.
OK. Based on your feedback, I can clearly see why some of the variables
don't make a lot of sense. I have updated the script, adding lots of
documentation on each of them. I've also fixed a bug in
hosts_allow/hosts_deny that's I'd been forgetting to fix. Before
continuing to read my reply, please download the script again, and see
if it makes more sense.
ftp://duke.eburg.com/pub/linux/init.firewall
> It would help me enormously if you had specific identifications
> for your variables
> for a simple standard case: 1masqingbox, 1masqedbox
> -- a masqing linuxbox
> internet conncection via eth0, say 299.888.1.1 or your choice
> with eth1 for internal lan say 192.168.1.1 or your choice
>
> -- a masqed computer on that internal lan with say ip 192.168.1.2
Set:
PARANOID_DEV="eth0"
MASQ_NET="192.168.1.0/24"
This will close nearly all of the open ports on eth0, and set up your
internal network for masquerading.
> you seem to have a mix of
> 192.168.1 for the masqnet 192.168.1.0/24
> 192.168.0 for a commented out #PARANOID_ADDR="192.168.0.2"
> 192.168.10 for a commented out #FORWARD_NET="192.168.10.0/24"
Sorry about that confusion. I have a DSL modem that does NAT, so my
publicly routable interface (eth1) is 192.168.0.2. I use "eth1" as the
value of PARANOID_DEV, so that I can run a bunch of services for my
internal network that I would cringe to leave open to the internet.
It's not as secure as having a physically separate firewall, but few
things are.
192.168.1.0 is, theoretically, an internal network which I wish to
masquerade.
192.168.10.0 is a very bad example of a network that I might (again, in
theory) want to provide standard routing services for, rather than MASQ.
These should be cleared up in the current script.
> is paranoidaddr intended as your masqingbox or the masqdbox?
Publicly available interface. The masq'ing box. The one that I'm
paranoid someone might try to break into :)
> your further response to kerryb didnt help me either:
> >FORWARD_NET should be used if you have a network that you want to do
> >plain routing on. MASQ_NET indicates a network that you want to
> >masquerade. Your network should only be listed under one of those.
>
> which 'your network' ?
Your internal network. This also should be made more clear in the
current script.
Thank you for taking the time to review the script. I hope your input
has helped me improve it quite a bit :)
MSG
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
