Router help request
beesond001 at hawaii.rr.com
beesond001 at hawaii.rr.com
Sun Dec 30 18:54:27 PST 2001
MonMotha,
Thanks for your help. I'll fix the MAC address stuff tonite.
VR,
Ben
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 12/29/01, 7:26:01 PM, MonMotha <monmotha at indy.rr.com> wrote regarding
[luau] Re:Router help request:
> Only replying to the firewall part... You don't need to use MAC address
> stuff, though if you do it will override anything done by IP address.
> Most people can just ignore the MAC address stuff and do everything by
IP.
> As for SynCookies, they horribly break the TCP spec, so I disabled them
> by default (they used to be enabled by default in my firewall), but can
> be useful to protect against the isolated SynFlood.
> --MonMotha
> --MonMotha
> beesond001 at hawaii.rr.com wrote:
> > To all,
> >
> > Thanks in advance for your help. I apologize for the long winded
> > reply. I think I may be able to figure this out, but I want to make
> > sure that I get it mostly right before I go fiddling with
> > everything.... Here's what I am trying to do:
> >
> > (I hope this picture looks OK...)
> >
> .......
> >
> > Now for the firewall stuff. I have copied a few lines from the top
of
> > the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with
> > my router. I would like to know from the experts out there if this
> > looks correct and whether or not I should delete the MAC_MASQ section
> > and just not use it... Also, is it worth the while to turn
> > USE_SYNCOOKIES on? My current firewall has SYNCOOKIE protection turned
> > on, but I don't know enough about SYNCOOKIES to know whether this is
> > already sufficiently addressed in the MonMotha firewall.
> >
> >
> >
> >
> > # Main configuration, modify to suit your setup. Help can be found at:
> > # http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
> > #
> > # set to your iptables location, must be set -- this is set
> > /sbin/iptables for the router -- Ben
> > IPTABLES="/sbin/iptables"
> > #
> > #
> > TCP_ALLOW="22" # TCP ports to allow
> > UDP_ALLOW="68 6112 6119 4000" # UDP ports to allow
> > INET_IFACE="eth0" # the interface your
internet's on (one only),
> > must be set
> > LAN_IFACE="eth1" # the interface your LAN's on
(one only)
> > INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24" # The internal LAN
> > (including DMZs but not censored hosts)
> > MASQ_LAN="192.168.0.0/24 192.168.1.0/24" # the internal network(s) to
> > be masqueraded (this is overridden by MAC_MASQ)
> > #
> > # Internal networks/hosts to use static NAT (format is <internal ip or
> > network>:<external ip>) (this is overridden by MAC_SNAT)
> > #
> > SNAT_LAN=""
> > #
> > #
> > # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject
> > with tcp-reset for TCP),
> > # LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and
> > reject with tcp-reset),
> > # ULDROP (ULOG and DROP)
> > DROP="TREJECT"
> > #
> > DENY_ALL="" # Internet hosts to
explicitly deny from accessing your
> > system at all
> > DENY_HOSTWISE_TCP="" # Specific hosts to
deny access to specific TCP
> > ports; format is "IP>PORT"
> > DENY_HOSTWISE_UDP="" # Specific hosts to
deny access to specific UDP
> > ports; format is "IP>PORT"
> >
> > # People you don't want to have anything to do with (equivlent of my
> > old TK_DROP). This is a bidirectional drop.
> > BLACKHOLE=""
> > BLACKHOLE_DROP="DROP" # What to do for the
blackholes (same options
> > as DROP directive above)
> > ALLOW_ALL="" # Internet hosts to
explicitly allow full access to
> > your system
> > ALLOW_HOSTWISE_TCP="" # Specific hosts
allowed access to specific
> > TCP ports; format is "IP>PORT"
> > ALLOW_HOSTWISE_UDP="" # Specific hosts
allowed access to specific
> > UDP ports; format is "IP>PORT"
> > TCP_FW="" # TCP port forwards, form is
"SPORT:DPORT>IP"
> > UDP_FW="" # UDP port forwards, form is
"SPORT:DPORT>IP"
> > MANGLE_TOS_OPTIMIZE="TRUE" # TOS "optimizations" on or
off
> > (TRUE/FALSE toggle)
> > ENABLE="Y" # Set to 'Y' when it's
configured; this is for your own
> > saftey
> >
> > # Flood Params. You will still recieve the packets and the bandwidth
> > will be used, but this will cause floods to be
> > # ignored (useful against SYNFLOODS especially)
> >
> > # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will
> > always take the policy regardless of logging)
> > LOG_FLOOD="2/s"
> > #
> > # GLOBAL limit on SYN packets (servers will probably need even higher
> > sustained rates as this isn't on a per IP basis)
> > SYN_FLOOD="20/s"
> > #
> > #
> > PING_FLOOD="1/s" # GLOBAL limit on ICMP
echo-requests to reply to
> > #
> > # Outbound filters (they work, but are of limited functionality),
> > probably better to use a proxy here
> > # Internal hosts allowed to be forwarded out on TCP
> > # (do not put this/these host/s in INTERNAL_LAN, but do define their
> > method of access [snat, masq] if not a public ip)
> >
> > ALLOW_OUT_TCP=""
> >
> > #
> > #
> > # Below here is experimental (please report your successes/failures)
> > # MAC addresses permitted to use masquerading, leave blank to not use
> > #VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh
> > #
> > MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6
> > 00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "
> > #
> > #
> > # MAC addresses permitted to use static NAT, leave blank to not use
> > (format is <MAC Address>:<external ip>)
> > MAC_SNAT=""
> > #
> > #
> > # How many hops packets need to make once they get on your LAN (null
> > disables the mangling) (requires patch from patch-o-matic)
> > TTL_SAFE=""
> > #
> > USE_SYNCOOKIES="FALSE" # TCP SynCookies on
or off (TRUE/FALSE
> > toggle)
> > RP_FILTER="TRUE" # Turns rp_filter on or off
on all interfaces
> > (TRUE/FALSE toggle)
> > ACCEPT_SOURCE_ROUTE="FALSE" # Turns accept_source_route
on or off on
> > all interfaces (TRUE/FALSE toggle)
> > PROXY="" # Redirect for Squid or other
transparent proxy. Syntax to
> > specify the proxy is "host:port".
> >
> > # Set to true if you run a DHCP server. DHCP clients do not need this.
> > # This allows broadcasts to the server from potential clients on the
> > LAN to succeede.
> > # MUST DEFINE LAN_IFACE IF YOU USE THIS!
> > #
> > DHCP_SERVER="TRUE"
> > #
> > #
> > BAD_ICMP="5 9 10 15 16 17 18" # ICMP messages to
NOT allow in from
> > internet
> >
> > # Only touch these if you're daring (PREALPHA stuff, as in basically
> > non-functional)
> > # Interface your DMZ is on (leave blank if you don't have one) MUST
> > DEFINE LAN_IFACE IF YOU USE THIS!
> > DMZ_IFACE=""
> > #
> > #
> > # Output an identifier message..
> > #
> > echo "This is it...MonMotha's Firewall 2.3.8-pre2!"
> > echo "All your h4x0rZ belong to Linux/Netfilter!"
> > #
> >
> >
> > Thanks again,
> >
> > Ben
> >
> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
More information about the LUAU
mailing list