-----Original Message-----
From: Charles Galpin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, November 01, 2000 4:20 PM
Subject: status of ipchains regarding stateful firewalling
>I'm about to reconfigure my home network with a seperate firewall box.
>It's been long overdue. I have a friend who runs a freeBSD box as his
>firewall and was very impressed by the fact that it (ipfw i think ) has a
>'stateful' firewall. It allows packets in that are a response to an
>internal request (at least that's my understanding of it - probably
>grossly oversimplified or butchered in some way). It *looks* like a
>simpler and tighter solution.
>
>Anyway, this has led me to be "tempted" to use it too. But before I go
>wasting a lot of time learning how to admin BSD (since the whole point is
>to be secure, I'd better get good at it too), I'd like to know where
>ipchains/linux stands on this issue for 2.2.x kernels. I've done some
>searching but haven't come up with much. I thought I'd read soemthing
>about the 2.4 kernel supporting this.
>
Yep.. 2.2.x kernel and ipchains can do what you just described. I have a
set up like this here at work and at home.
Private net <---> Firewall box <----> Internet
With a few rules you can arrange it so that only responses to your requests
are allowed in. Something like these rules perhaps:
ipchains -P forward DENY ------ denies forwarding for the world.
ipchains -A input -i ppp0 -p TCP -y -j DENY ------- refuses all connection
attempts via your modem
ipchains -A forward -i eth0 -s 10.0.0.0/24 -j MASQ ------ masquerades for
10.0.0.1-10.0.0.254 connections from eth0
You can do quite a bit more with it, but this is fairly solid and has worked
wonders for security for me. A longer explaination is in the
/usr/doc/ipchains directory. Hope this helps.
Jeff Hogg
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
