[luau] Firewall question..
MonMotha
monmotha at indy.rr.com
Wed Jul 31 21:05:01 PDT 2002
Honestly, if you're going to use a linux firewall, use iptables.
Linux's packet filter has improved so much since 2.0 and ipfwadm that
it's like night and day. I don't even remember ipfwadm syntax anymore
(it sucked anyway), nor do I remember the packet journey.
I think LRP has a 2.4 based disk, or if not, I have a beta/alpha one you
can play with. It is at
http://monmotha.mplug.org/flplinux/lanwanrouter-1.1-1.img
iptables is stateful and extensible. The syntax is understandable and I
happen to know the packet journey on it :)
Also, iptables has full nat support. You don't need kludges to do port
forwards or similar as iptables has teh DNAT target to handle this for you.
If you for some reason MUST use a 2.0 based router, you'll probably be
mostly on your own as linux as a router didn't really catch on until the
2.2 days and then ipchains was in use.
Sorry if this sounds harsh or if you feel I shouldn't have replied, but
I figured I probably should as I'm considered the "resident firewall
guru" and most people would probably be expecting me to reply. I did
use ipfwadm many moons ago and I hated it. Trust me when I say you will
not regret upgrading, even if it means jumping through some hoops.
--MonMotha
yuser at hi.net wrote:
> I for the life of me can not figure this out..
>
> I have a floppy boot FreeSco router (similar to LRP) with 2 NIC's for my cable modem and internal lan.
>
> eth0 is outside, eth1 is internal.
>
> I am using ipportfw to forward outside port 22 to 192.168.0.1 port 22, and outside 11500 to 192.168.0.5 port 80. This works great and ANYONE can get in. Only problem is
> I only want 2 specific internet ip's to be able to get through the router and to these services.
>
> FreeSco uses ipfwadm, its a little old but that's my only choice. It appears that the ipportfw rules take effect before and the ignore the ipfwadm rules and I can not restrict
> the incoming ip's. Do I need to modify the -M rules for ipportfw restrictions instead of -I rules?
....
More information about the LUAU
mailing list