On Sat, 30 Sep 2000, Jack Bowling wrote:
> ** This was also posted to comp.os.linux.networking **
>
> I have recently fallen in love with the interactive dynamic firewall
> capabilites of the Firestarter firewall app for Gnome-enabled linux
> boxes. You can block everything (and it does this perfectly as
> tested at www.grc.com) and then watch the hit list and
> decide in real time which connections you will let through. A thing of
> beauty.
>
> However, having said that, I still feel that it is not in my best
> interests to have the firewall sitting on my production box. Instead, I
> would like to have my old trusty 486 box running a single floppy Coyote
> linux LRP based firewall and connect to it through a hub. THEN, I would
> like Firestarter to ALSO be running on my production box as a 2nd tier
> of
> defence...and almost more importantly as a real time monitor.
>
> Problem is that it does not seem to work. A check of running processes
> shows Firestarter running and configured to be monitoring my
> production box eth0 interface which is downstream of the firewall box.
> However, a port probe from www.grc.com shows that the port settings are
> being controlled by the upstream set of rules even though Firestarter is
> running.
>
> I am assuming that the downstream instance of ipchains rulesets is
> independent
> of the upstream ones. Am I overlooking something here, or am I just out
> of luck?
>
> Jack
>
I think you are overlooking something. Anything incomming that is blocked
by the upstream firewall will never make it to your production box. On
outgoing connections, if it is blocked on your production machine, it will
never make it to the firewall. So what happens is that for anything to
make it through, it has to pass the both sets of rules. The rules are
independent as far as each machine is concerned, but not as far as any
connection to the Internet are concerned.
Another way to look at it is that each firewall is a set of filters, and
if something does not make it through the first filter, then the second
filter never "sees" it.
Mikkel
--
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
