[LUAU] ipfwadm -W

Mark Robinson sleepdoc at usa.net
Wed Jun 30 18:22:04 PDT 1999 

correct lo not connected to the dhcpc client, just telegraphic bad grammer.
I was looking at lo because it was easy to isolate. -le did work thanks.



-----Original Message-----
From: Chris Wong <wongc at math.ed.hawaii.edu>
To: luau <luau at luau.hi.net>
Date: Wednesday, June 30, 1999 2:52 PM
Subject: Re: [LUAU] ipfwadm -W


>On Wed, 30 Jun 1999, Mark Robinson wrote:
>
>> Hi I am have a small lan that works well with wide open forwarding and
>> masq through my RR box.(RH5.2)
>
>> I have been trying to work up a firewall using ipfwadm and the Fire
>> wall tool at http://rlz.ne.mediaone.net/linux/firewall/index.html
>> 
>> I think I uderstand the filter concept, but am having trouble with one
>> of the rule styles the firewall tool generates. It sets a variable
>> EXTERNAL_INTERFACE ="eth0". This is the interface used with DHCPC that
>> connects to RR, or LOOPBACK_INTERFACE= "lo". It uses the following
>> syntax:
>
>Correct me if I'm wrong but lo shoudl NOT be connected to the dhcpcd
>interface.
>
>> ipfwadm -O -a accept -W $LOOPBACK_INTERFACE .
>> 
>> Comment for this line says "Unlimited trafic on loopback interface."
>> 
>> I understand this to say accept any packets from the loopback
>> interface destined for anywhere.
>
>Actually, it's an output chain. It'll allow any traffic on the loopback.
>It is kind of what you want.
>
>> When I list the resulting rule :ipfwadm -O -l  ,  I get :
>> 
>> acc all anywhere  anywhere.
>
>yep. ipfwadm -O -l does NOT list the interface specific info
>try ipfwadm -O -l -e
>
>> I think the problem is in the use of the -W parameter. This is
>> supposed to designate the name of an interface, but it is not able to
>> evaluate lo so it defaults to anywhere. The gateway box knows about
>> lo,eth0,eth1 according to ifconfig, and they are active. So any ideas
>> as to what -W name is supposed to evaluate to? IP Address? I can edit
>> the script to do so , but how do you think it is supposed to work?
>
>Seems to be okay. Personally it's redundant to add some chains to an
>interface that allows all traffic.
>
>I believe you're supposed to be looking at eth1's firewalling rules.
>
>If you so choose, pass your entire firewall script for me to look at.
>
>--
>chris
>
>
>--
>-     __   __  __________  __
>-    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
>-   / /__/ /_/ / /_/ / /_/ /
>-  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii
>
>-   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
>-           LUAU meetings are the 3rd Tuesday of each month 6pm
>-                   Manoa Innovation Center Meeting Room

--
-     __   __  __________  __
-    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
-   / /__/ /_/ / /_/ / /_/ /
-  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii

-   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
-           LUAU meetings are the 3rd Tuesday of each month 6pm
-                   Manoa Innovation Center Meeting Room

More information about the LUAU mailing list