[NTLUG:Discuss] firewall script troubleshooting help needed.

Richard Geoffrion richard at rain.lewisville.tx.us
Mon Apr 16 12:44:00 CDT 2001


If the following rules are executed, all communications in and out of the
box stop. No internal hosts can ping either of the addresses on the Linux
server and the server can ping nothing...not even itsself.

A subsequent 'ipfwadm -I -f; ipfwadm -F -f' and a re-issue of the old
commands (that do work) do not get the system running again. It takes an
'ipfwadm -I -p accept' will get the system going again, but DANG, I have
fewer things to ALLOW and MUCH to block. I'd rather my default policy be
deny! I suppose that means when you flush the firewall rules, you DON'T
neccesarily change the default policy.

So...any clues as to why communications stop with this ruleset?

Information upon which I have based my rules...

Incomming DNS queries only need UDP port 53 to respond.
Internal network address is 10.1.61.0/24
External network address is 64.218.3.104/29
Linux firewall/web/smtp/pop3/imap box is address 10.1.61.251/24 (internal) &
64.218.3.105/32 (external)

[firewall]
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_restrict_rst
echo 1 > /proc/sys/net/ipv4/udp_restrict_pu
echo 1 > /proc/sys/net/ipv4/icmp_restrict
echo 1 > /proc/sys/net/ipv4/igmp_restrict
#change default forwarding policy to deny
ipfwadm -F -p deny
#allow masp forwarding from inside the network.
ipfwadm -F -a m -b -S 10.1.61.0/24 -D 0.0.0.0/0
#change default input firewall to deny
ipfwadm -I -p deny
#allow internal hosts to reach any netbios name service that may be plugged
in on the local external network.
ipfwadm -I -a accept -k -P tcp -S 10.1.61.0/24 -D 64.218.3.104/29
netbios-ssn netbios-ns netbios-dgm
#allow external hosts to access ftp,ssh,smtp,web,pop3,imap (NOT DNS)
ipfwadm -I -a accept -k -V eth0 -P tcp -S 0.0.0.0/0 -D 64.218.3.105/32 21 22
25 80 110 143
#Allow access to UDP dns requests
ipfwadm -I -a accept -P udp -S 0.0.0.0/0 -D 64.218.3.105/32 53
[/firewall]




More information about the Discuss mailing list