Laurie Brown laurie@brownowl.com wrote:
Barry Samuels wrote:
I have a firewall set up on my machine which was put in place
by
PMFirewall. Very easy for people like me who cannot
understand
ipchains or its documentation.
However it has left me with a small problem. When running
the
PMFirewall setup it asks if my local network needs access to
the
internet. I answered 'No' on the basis that only one machine needs access. Now I find that when the firewall is running machines on the local network are denied access to the
machine
running the firewall.
Can some clever firewall guru tell me what to alter to give access to this machine from the local network when the
firewall
is running. These other machines do not need to access the Internet.
As an aside I'm still hoping for a meeting somewhere near me
(10
miles South East of Colchester).
Best wishes to all.
Barry Samuels
You'll need to post the script that set up the firewall, so we can see what's being set. Try "ipchains -L>file.name" and post file.name to the list, for a start.
Cheers, Laurie.
Below are the scripts set up by PMFirewall:
===============================================================
#!/bin/sh # pmfirewall.conf - used by pmfirewall package IPCHAINS=/sbin/ipchains ATBOOT=0 CONFIG_DIR=/usr/local/pmfirewall OUTERIF=ppp0 REMOTENET=0/0 OUTERIP=`ifconfig $OUTERIF | grep inet | cut -d : -f 2 | cut -d \ -f 1` OUTERMASK=`ifconfig $OUTERIF | grep Mas | cut -d : -f 4` OUTERNET=$OUTERIP/$OUTERMASK
===============================================================
#!/bin/sh # pmfirewall.rules.1 used by pmfirewall package # #### Start Firewall ####
## Allow loopback interface $IPCHAINS -A input -i lo -s 0/0 -d 0/0 -j ACCEPT $IPCHAINS -A output -i lo -s 0/0 -d 0/0 -j ACCEPT
# Allow packets with ack bit set, they are from an established connection. $IPCHAINS -A input ! -y -p tcp -s $REMOTENET -d $OUTERNET -j ACCEPT
# Block incoming IP Spoofing
# Turn on Source Address Verification
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for f in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $f done fi
#Turn on SYN COOKIES PROTECTION (Thanks Holger!) if [ -e /proc/sys/net/ipv4/tcp_syncookies ] then echo 1 > /proc/sys/net/ipv4/tcp_syncookies fi
# Now read pmfirewall.rules.local
===============================================================
#!/bin/sh # pmfirewall.rules.local # ver.PM1 (do not remove this line)
### BEGIN SYSTEM DEFAULTS ###
# Block Nonroutable IP's from entering on the External Interface $IPCHAINS -A input -j DENY -s 10.0.0.0/8 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 127.0.0.0/8 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 172.16.0.0/12 -d $OUTERNET -i $OUTERIF $IPCHAINS -A input -j DENY -s 192.168.0.0/16 -d $OUTERNET -i $OUTERIF
# - Specific port blocks on the external interface - # This section blocks off ports/services to the outside that have # vulnerabilities. This will not affect the ability to use these services # within your network. #
# Back Orifice (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31337 -j DENY -l
# NetBus (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 12345:12346 -j DENY -l
# Trin00 (logged) $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 1524 -j DENY -l $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 27665 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 27444 -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 31335 -j DENY -l
# Multicast $IPCHAINS -A input -s 224.0.0.0/8 -d $REMOTENET -j DENY $IPCHAINS -A input -s $REMOTENET -d 224.0.0.0/8 -j DENY
### END SYSTEM DEFAULTS ###
#### EXAMPLES ###
### ALLOWED NETWORKS # Add in any rules to specifically allow connections from hosts/nets that # would otherwise be blocked. #$IPCHAINS -A input -s [trusted host/net] -d $OUTERNET <ports> -j ACCEPT
### BLOCKED NETWORKS # Add in any rules to specifically block connections from hosts/nets that # have been known to cause problems. These packets are logged. #$IPCHAINS -A input -s [banned host/net] -d $OUTERNET <ports> -j DENY -l
### BLOCK ICMP ATTACKS # #$IPCHAINS -A input -b -i $OUTERIF -p icmp -s [host/net] -d $OUTERNET -j DENY -l
#### END OF EXAMPLES ###
### AUTOMATICALLY GENERATED BY THE INSTALL SCRIPT ###
#DHCP CLIENT BLOCK $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 67:68 -i $OUTERIF -j DENY #IDENTD $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 113 -j REJECT $IPCHAINS -A input -p udp -s $REMOTENET -d $OUTERNET 113 -j REJECT #NETBIOS $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 137:139 -i $OUTERIF -j DENY #RIP $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 520 -i $OUTERIF -j REJECT #NFS $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 2049 -i $OUTERIF -j DENY -l #XSERVER $IPCHAINS -A input -p tcp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY $IPCHAINS -A input -p udp -s $REMOTENET -d $REMOTENET 5999:6003 -i $OUTERIF -j DENY
===============================================================
#!/bin/sh #pmfirewall.rules.masq - used by pmfirewall package #
## Masquerading
## Modules to help certain services
/sbin/depmod -a >/dev/null 2>&1 /sbin/modprobe ip_masq_ftp >/dev/null 2>&1 /sbin/modprobe ip_masq_raudio >/dev/null 2>&1 /sbin/modprobe ip_masq_irc >/dev/null 2>&1 /sbin/modprobe ip_masq_icq >/dev/null 2>&1 /sbin/modprobe ip_masq_quake >/dev/null 2>&1 /sbin/modprobe ip_masq_user >/dev/null 2>&1 /sbin/modprobe ip_masq_vdolive >/dev/null 2>&1
## Masquerading firewall timeouts: tcp conns 8hrs, tcp after fin pkt 60s, udp 10min $IPCHAINS -M -S 14400 60 600
## Set up kernel to enable IP masquerading echo 1 > /proc/sys/net/ipv4/ip_forward
## Set up kernel to handle dynamic IP masquerading echo 1 > /proc/sys/net/ipv4/ip_dynaddr
## Don't Masquerade internal-internal traffic $IPCHAINS -A forward -s $INTERNALNET -d $INTERNALNET -j ACCEPT
## Don't Masquerade external interface direct $IPCHAINS -A forward -s $OUTERNET -d $REMOTENET -j ACCEPT
## Masquerade all internal IP's going outside $IPCHAINS -A forward -s $INTERNALNET -d $REMOTENET -j MASQ
## Set Default rule on MASQ chain to Deny $IPCHAINS -P forward DENY
## Allow all connections from the network to the outside $IPCHAINS -A input -s $INTERNALNET -d $REMOTENET -j ACCEPT $IPCHAINS -A output -s $INTERNALNET -d $REMOTENET -j ACCEPT
# This section manipulates the Type Of Service (TOS) bits of the # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled # in your kernel
# Set telnet, www, smtp, pop3 and FTP for minimum delay $IPCHAINS -A output -p tcp -d 0/0 80 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 22 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 23 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 21 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 110 -t 0x01 0x10 $IPCHAINS -A output -p tcp -d 0/0 25 -t 0x01 0x10
# Set ftp-data for maximum throughput $IPCHAINS -A output -p tcp -d 0/0 20 -t 0x01 0x08
# Allow outgoing ICMP $IPCHAINS -A output -p icmp -s $INTERNALNET -d $REMOTENET -j ACCEPT
===============================================================
Thats the lot.
I've included the masquerading although I don't use masquerading. I didn't know whether it would be important or not.
I hope it all makes sense to somebody.
Barry Samuels