File: firewall-8.html

package info (click to toggle)
linuxconf 1.26r4-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 56,432 kB
  • ctags: 27,217
  • sloc: cpp: 158,803; perl: 7,484; sh: 4,134; java: 3,105; ansic: 2,492; makefile: 2,216; python: 109
file content (90 lines) | stat: -rw-r--r-- 2,704 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
 <TITLE>Firewalling and packets accounting: The logic of firewalling with linuxconf</TITLE>
 <LINK HREF="firewall-9.html" REL=next>
 <LINK HREF="firewall-7.html" REL=previous>
 <LINK HREF="firewall.html#toc8" REL=contents>
</HEAD>
<BODY>
<A HREF="firewall-9.html">Next</A>
<A HREF="firewall-7.html">Previous</A>
<A HREF="firewall.html#toc8">Contents</A>
<HR>
<H2><A NAME="s8">8. The logic of firewalling with linuxconf</A></H2>

<P>The firewalling in <EM>Linux</EM> is highly flexible and can be very
complicated. <EM>Linuxconf</EM> is proposing a simple logic that simplifies
the composition of the firewalling rule. While this logic helps
create and maintain a basic firewall, some configurations may not
be created with linuxconf. Here is the logic:
<P>
<H2><A NAME="ss8.1">8.1 Positive logic</A>
</H2>

<P>When you activate one of the three firewalling systems
(input, forward, output), <EM>Linuxconf</EM> will set the default policy
to <EM>deny</EM>. All rules you enter are indeed holes or openings in the
firewall. If you enter no rules, then your machine will be pretty
isolated, answering to nothing.
<P>
<H2><A NAME="ss8.2">8.2 A pre-cooked firewall solution</A>
</H2>

<P>Here is an example for a simple network. Mostly, you have eth0 pointing
to the local network. Nothing must be reachable from the outside on
this network. eth1 points to a router on the Internet.
<P>
<H3>Inputing rules: accepting all icmp packets</H3>

<P>
<P>
<BLOCKQUOTE><CODE>
<PRE>
        Protocol                icmp
                        -----------From---------------
        Host or Network 0.0.0.0
        Netmask         
        Port range
        Other ports
        Interface               eth1
                        -----------To-----------------
        Host or Network eth1
        Netmask
        Port range
        Other ports
        Interface       Any
        
</PRE>
</CODE></BLOCKQUOTE>
<P>
<H3>Inputing rules: accepting only DNS packet</H3>

<P>Ultimately only port
<P>
<BLOCKQUOTE><CODE>
<PRE>
        Protocol                udp
                        -----------From---------------
        Host or Network 0.0.0.0
        Netmask         0.0.0.0
        Port range
        Other ports
        Interface               eth1
                        -----------To-----------------
        Host or Network eth1
        Netmask
        Port range
        Other ports
        Interface       Any
        
</PRE>
</CODE></BLOCKQUOTE>
<P>
<HR>
<A HREF="firewall-9.html">Next</A>
<A HREF="firewall-7.html">Previous</A>
<A HREF="firewall.html#toc8">Contents</A>
</BODY>
</HTML>