Router help request

beesond001 at hawaii.rr.com beesond001 at hawaii.rr.com
Sun Dec 30 18:54:27 PST 2001


MonMotha,

	Thanks for your help.  I'll fix the MAC address stuff tonite.


VR,

Ben 

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 12/29/01, 7:26:01 PM, MonMotha <monmotha at indy.rr.com> wrote regarding 
[luau] Re:Router help request:


> Only replying to the firewall part...  You don't need to use MAC address
> stuff, though if you do it will override anything done by IP address.
> Most people can just ignore the MAC address stuff and do everything by 
IP.

> As for SynCookies, they horribly break the TCP spec, so I disabled them
> by default (they used to be enabled by default in my firewall), but can
> be useful to protect against the isolated SynFlood.

> --MonMotha

> --MonMotha

> beesond001 at hawaii.rr.com wrote:

> > To all,
> >
> >     Thanks in advance for your help.  I apologize for the long winded
> > reply.  I think I may be able to figure this out, but I want to make
> > sure that I get it mostly right before I go fiddling with
> > everything....  Here's what I am trying to do:
> >
> > (I hope this picture looks OK...)
> >
> .......
> >
> >     Now for the firewall stuff.  I have copied a few lines from the top 
of
> > the MonMotha Firewall 2.3.8-pre2 that I am trying to get to work with
> > my router. I would like to know from the experts out there if this
> > looks correct and whether or not I should delete the MAC_MASQ section
> > and just not use it...  Also, is it worth the while to turn
> > USE_SYNCOOKIES on?  My current firewall has SYNCOOKIE protection turned
> > on, but I don't know enough about SYNCOOKIES to know whether this is
> > already sufficiently addressed in the MonMotha firewall.
> >
> >
> >
> >
> > # Main configuration, modify to suit your setup.  Help can be found at:
> > #    http://www.mplug.org/phpwiki/index.php?MonMothaReferenceGuide
> > #
> > # set to your iptables location, must be set -- this is set
> > /sbin/iptables for the router -- Ben
> > IPTABLES="/sbin/iptables"
> > #
> > #           
> > TCP_ALLOW="22"                                      # TCP ports to allow
> > UDP_ALLOW="68 6112 6119 4000"                       # UDP ports to allow
> > INET_IFACE="eth0"                           # the interface your 
internet's on (one only),
> > must be set
> > LAN_IFACE="eth1"                            # the interface your LAN's on 
(one only)
> > INTERNAL_LAN="192.168.0.0/24 192.168.1.0/24"        # The internal LAN
> > (including DMZs but not censored hosts)
> > MASQ_LAN="192.168.0.0/24 192.168.1.0/24"    # the internal network(s) to
> > be masqueraded (this is overridden by MAC_MASQ)
> > #
> > # Internal networks/hosts to use static NAT (format is <internal ip or
> > network>:<external ip>) (this is overridden by MAC_SNAT)
> > #
> > SNAT_LAN=""                         
> > #
> > #
> > # What to do with packets we don't want: DROP, REJECT, TREJECT (Reject
> > with tcp-reset for TCP),
> > # LDROP (log and drop), LREJECT (log and reject), LTREJECT (log and
> > reject with tcp-reset),
> > # ULDROP (ULOG and DROP)
> > DROP="TREJECT"      
> > #                           
> > DENY_ALL=""                                 # Internet hosts to 
explicitly deny from accessing your
> > system at all
> > DENY_HOSTWISE_TCP=""                                # Specific hosts to 
deny access to specific TCP
> > ports; format is "IP>PORT"
> > DENY_HOSTWISE_UDP=""                                # Specific hosts to 
deny access to specific UDP
> > ports; format is "IP>PORT"
> >
> > # People you don't want to have anything to do with (equivlent of my
> > old TK_DROP).  This is a bidirectional drop.
> > BLACKHOLE=""                                        
> > BLACKHOLE_DROP="DROP"                               # What to do for the 
blackholes (same options
> > as DROP directive above)
> > ALLOW_ALL=""                                        # Internet hosts to 
explicitly allow full access to
> > your system
> > ALLOW_HOSTWISE_TCP=""                               # Specific hosts 
allowed access to specific
> > TCP ports; format is "IP>PORT"
> > ALLOW_HOSTWISE_UDP=""                               # Specific hosts 
allowed access to specific
> > UDP ports; format is "IP>PORT"
> > TCP_FW=""                                   # TCP port forwards, form is 
"SPORT:DPORT>IP"
> > UDP_FW=""                                   # UDP port forwards, form is 
"SPORT:DPORT>IP"
> > MANGLE_TOS_OPTIMIZE="TRUE"                  # TOS "optimizations" on or 
off
> > (TRUE/FALSE toggle)
> > ENABLE="Y"                                  # Set to 'Y' when it's 
configured; this is for your own
> > saftey
> >
> > # Flood Params.  You will still recieve the packets and the bandwidth
> > will be used, but this will cause floods to be
> > # ignored (useful against SYNFLOODS especially)
> >
> > # Limit on logging (for LTREJECT, LREJECT and LDROP, the packet will
> > always take the policy regardless of logging)
> > LOG_FLOOD="2/s"     
> > #   
> > # GLOBAL limit on SYN packets (servers will probably need even higher
> > sustained rates as this isn't on a per IP basis)                    
> > SYN_FLOOD="20/s"
> > #
> > #                   
> > PING_FLOOD="1/s"                            # GLOBAL limit on ICMP 
echo-requests to reply to
> > #
> > # Outbound filters (they work, but are of limited functionality),
> > probably better to use a proxy here
> > # Internal hosts allowed to be forwarded out on TCP
> > # (do not put this/these host/s in INTERNAL_LAN, but do define their
> > method of access [snat, masq] if not a public ip)
> >
> > ALLOW_OUT_TCP=""
> >
> > #
> > #                   
> > # Below here is experimental (please report your successes/failures)
> > # MAC addresses permitted to use masquerading, leave blank to not use
> > #VALinux box 1 & 2, Sparc box, wireless hub, windoze box, macintosh
> > #
> > MAC_MASQ="00:90:27:A5:72:22 00:90:27:A5:72:11 8:0:20:81:2D:E6
> > 00:90:D1:01:28:1C 00:90:D1:05:E0:C3 "
> > #
> > #
> > # MAC addresses permitted to use static NAT, leave blank to not use
> > (format is <MAC Address>:<external ip>)
> > MAC_SNAT=""
> > #
> > #
> > # How many hops packets need to make once they get on your LAN (null
> > disables the mangling) (requires patch from patch-o-matic)                
  
> > TTL_SAFE=""
> > #                           
> > USE_SYNCOOKIES="FALSE"                              # TCP SynCookies on 
or off (TRUE/FALSE
> > toggle)
> > RP_FILTER="TRUE"                            # Turns rp_filter on or off 
on all interfaces
> > (TRUE/FALSE toggle)
> > ACCEPT_SOURCE_ROUTE="FALSE"                 # Turns accept_source_route 
on or off on
> > all interfaces (TRUE/FALSE toggle)
> > PROXY=""                                    # Redirect for Squid or other 
transparent proxy. Syntax to
> > specify the proxy is "host:port".
> >
> > # Set to true if you run a DHCP server. DHCP clients do not need this.
> > # This allows broadcasts to the server from potential clients on the
> > LAN to succeede.
> > # MUST DEFINE LAN_IFACE IF YOU USE THIS!
> > #
> > DHCP_SERVER="TRUE"
> > #
> > #                   
> > BAD_ICMP="5 9 10 15 16 17 18"                       # ICMP messages to 
NOT allow in from
> > internet
> >
> > # Only touch these if you're daring (PREALPHA stuff, as in basically
> > non-functional)
> > # Interface your DMZ is on (leave blank if you don't have one) MUST
> > DEFINE LAN_IFACE IF YOU USE THIS!
> > DMZ_IFACE=""                                
> > #
> > #
> > #  Output an identifier message..
> > #
> > echo  "This is it...MonMotha's Firewall 2.3.8-pre2!"
> > echo  "All your h4x0rZ belong to Linux/Netfilter!"
> > #
> >
> >
> > Thanks again,
> >
> > Ben
> >



> ---
> You are currently subscribed to luau as: beesond001 at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')


More information about the LUAU mailing list