Router help request

MonMotha monmotha at indy.rr.com
Sat Dec 29 21:26:01 PST 2001 

Only replying to the firewall part...  You don't need to use MAC address 
stuff, though if you do it will override anything done by IP address. 
Most people can just ignore the MAC address stuff and do everything by IP.

As for SynCookies, they horribly break the TCP spec, so I disabled them 
by default (they used to be enabled by default in my firewall), but can 
be useful to protect against the isolated SynFlood.

--MonMotha

--MonMotha

beesond001 at hawaii.rr.com wrote:

> To all,
> 
> 	Thanks in advance for your help.  I apologize for the long winded
> reply.  I think I may be able to figure this out, but I want to make
> sure that I get it mostly right before I go fiddling with
> everything....  Here's what I am trying to do:
> 
> (I hope this picture looks OK...) 
> 
.......
> 
> 	Now for the firewall stuff.  I have copied a few lines from the top of
> the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with
> my router. I would like to know from the experts out there if this
> looks correct and whether or not I should delete the MAC_MASQ section
> and just not use it...  Also, is it worth the while to turn
> USE_SYNCOOKIES on?  My current firewall has SYNCOOKIE protection turned
> on, but I don't know enough about SYNCOOKIES to know whether this is
> already sufficiently addressed in the MonMotha firewall. 
> 
>   
> 
> 
> # Main configuration, modify to suit your setup.  Help can be found at:
> #    http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
> #
> # set to your iptables location, must be set -- this is set
> /sbin/iptables for the router -- Ben
> IPTABLES="/sbin/iptables"
> #
> #		 
> TCP_ALLOW="22"					# TCP ports to allow
> UDP_ALLOW="68 6112 6119 4000"			# UDP ports to allow
> INET_IFACE="eth0"				# the interface your internet's on (one only),
> must be set
> LAN_IFACE="eth1"				# the interface your LAN's on (one only)
> INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24"	# The internal LAN
> (including DMZs but not censored hosts)
> MASQ_LAN="192.168.0.0/24 192.168.1.0/24"	# the internal network(s) to
> be masqueraded (this is overridden by MAC_MASQ)
> #
> # Internal networks/hosts to use static NAT (format is <internal ip or
> network>:<external ip>) (this is overridden by MAC_SNAT)
> #
> SNAT_LAN=""				
> #
> #
> # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject
> with tcp-reset for TCP),
> # LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and
> reject with tcp-reset),
> # ULDROP (ULOG and DROP)
> DROP="TREJECT"	
> #				
> DENY_ALL=""					# Internet hosts to explicitly deny from accessing your
> system at all
> DENY_HOSTWISE_TCP=""				# Specific hosts to deny access to specific TCP
> ports; format is "IP>PORT"
> DENY_HOSTWISE_UDP=""				# Specific hosts to deny access to specific UDP
> ports; format is "IP>PORT"
> 
> # People you don't want to have anything to do with (equivlent of my
> old TK_DROP).  This is a bidirectional drop.
> BLACKHOLE=""					
> BLACKHOLE_DROP="DROP"				# What to do for the blackholes (same options
> as DROP directive above)
> ALLOW_ALL=""					# Internet hosts to explicitly allow full access to
> your system
> ALLOW_HOSTWISE_TCP=""				# Specific hosts allowed access to specific
> TCP ports; format is "IP>PORT"
> ALLOW_HOSTWISE_UDP=""				# Specific hosts allowed access to specific
> UDP ports; format is "IP>PORT"
> TCP_FW=""					# TCP port forwards, form is "SPORT:DPORT>IP"
> UDP_FW=""					# UDP port forwards, form is "SPORT:DPORT>IP"
> MANGLE_TOS_OPTIMIZE="TRUE"			# TOS "optimizations" on or off
> (TRUE/FALSE toggle)
> ENABLE="Y"					# Set to 'Y' when it's configured; this is for your own
> saftey
> 
> # Flood Params.  You will still recieve the packets and the bandwidth
> will be used, but this will cause floods to be 
> # ignored (useful against SYNFLOODS especially)
> 
> # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will
> always take the policy regardless of logging)
> LOG_FLOOD="2/s"	
> #	
> # GLOBAL limit on SYN packets (servers will probably need even higher
> sustained rates as this isn't on a per IP basis)			
> SYN_FLOOD="20/s"
> #
> #			
> PING_FLOOD="1/s"				# GLOBAL limit on ICMP echo-requests to reply to
> #
> # Outbound filters (they work, but are of limited functionality),
> probably better to use a proxy here
> # Internal hosts allowed to be forwarded out on TCP 
> # (do not put this/these host/s in INTERNAL_LAN, but do define their
> method of access [snat, masq] if not a public ip)
> 
> ALLOW_OUT_TCP=""
> 
> #
> #			
> # Below here is experimental (please report your successes/failures)
> # MAC addresses permitted to use masquerading, leave blank to not use
> #VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh 
> #
> MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6
> 00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "
> #
> #
> # MAC addresses permitted to use static NAT, leave blank to not use
> (format is <MAC Address>:<external ip>)
> MAC_SNAT=""
> #
> #
> # How many hops packets need to make once they get on your LAN (null
> disables the mangling) (requires patch from patch-o-matic)			
> TTL_SAFE=""
> #				
> USE_SYNCOOKIES="FALSE"				# TCP SynCookies on or off (TRUE/FALSE
> toggle)
> RP_FILTER="TRUE"				# Turns rp_filter on or off on all interfaces
> (TRUE/FALSE toggle)
> ACCEPT_SOURCE_ROUTE="FALSE"			# Turns accept_source_route on or off on
> all interfaces (TRUE/FALSE toggle)
> PROXY=""					# Redirect for Squid or other transparent proxy. Syntax to
> specify the proxy is "host:port".
> 
> # Set to true if you run a DHCP server. DHCP clients do not need this.
> # This allows broadcasts to the server from potential clients on the
> LAN to succeede. 
> # MUST DEFINE LAN_IFACE IF YOU USE THIS! 
> #
> DHCP_SERVER="TRUE"
> #
> #			
> BAD_ICMP="5 9 10 15 16 17 18"			# ICMP messages to NOT allow in from
> internet
> 
> # Only touch these if you're daring (PREALPHA stuff, as in basically
> non-functional)
> # Interface your DMZ is on (leave blank if you don't have one) MUST
> DEFINE LAN_IFACE IF YOU USE THIS!
> DMZ_IFACE=""				
> #
> #
> #  Output an identifier message..
> #
> echo  "This is it...MonMotha's Firewall 2.3.8-pre2!"
> echo  "All your h4x0rZ belong to Linux/Netfilter!"
> #
> 
> 
> Thanks again, 
> 
> Ben 
>

More information about the LUAU mailing list