Firewall question

Firewall question

[Alex Davis]

The scenario:
I have a DSL modem in pass through (bridge) mode. The linux firewall/router 
has a single ethernet card.  It is running pppoe. This gives two interfaces: 
eth0 and ppp0. The firewall is running iptables. There are several machines 
behind the firewall.

Problem:
I've been told that if someone whose public IP address is on the same
network subnet as mine were to get my mac address, (s)he could bypass
the firewall and talk directly to the machines behind it.

Is this true?

Thanks.


I code, therefore I am

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Firewall question

[Lennart Sorensen]

On Thu, Jun 08, 2006 at 11:57:12AM -0700, Alex Davis wrote:
> The scenario:
> I have a DSL modem in pass through (bridge) mode. The linux firewall/router 
> has a single ethernet card.  It is running pppoe. This gives two interfaces: 
> eth0 and ppp0. The firewall is running iptables. There are several machines 
> behind the firewall.
> 
> Problem:
> I've been told that if someone whose public IP address is on the same
> network subnet as mine were to get my mac address, (s)he could bypass
> the firewall and talk directly to the machines behind it.
> 
> Is this true?

Well the DSL modem only transfers whatever data the ISP end sends to it,
which in your case is just PPP packets (LCC or LCP I think).  No one out
on the internet would be able to send ethernet data over the DSL link,
so the only way to send data to another machine on your network (that
the DSL modem is connected to physically) is if you have other machines
on your local network which are also running PPPoE and listening for
that traffic.

So the worst thing I can see happening is that someone on your local
network could potentially take over your PPPoE session, but that's about
it.  I just can't see anything else that could happen.  I used to run
exactly the setup you describe before I had to drop the DSL connection
(I moved).

Len Sorensen

Re: Firewall question

[Andi Kleen]

> Well the DSL modem only transfers whatever data the ISP end sends to it,
> which in your case is just PPP packets (LCC or LCP I think).  No one out
> on the internet 

No one out on the internet, but it would be trivial for someone outside
his house. All his traffic will be on a long unsecured cable. 

That is why I would never bridge home ethernet traffic onto a DSL line.

-Andi

Re: Firewall question

[Lennart Sorensen]

On Fri, Jun 09, 2006 at 05:43:24AM +0200, Andi Kleen wrote:
> No one out on the internet, but it would be trivial for someone outside
> his house. All his traffic will be on a long unsecured cable. 
> 
> That is why I would never bridge home ethernet traffic onto a DSL line.

Hmm, traffic sent between his machines would not go over the DSL since
the MAC address doesn't match the DSL modem (I would think so at
least).  It would be a mess if the DSL modem tried to forwards all
traffic on an ethernet segment (well it doesn't have the bandwidth for
sure).  Maybe I am incorrectly assuming the DSL modem only forwards the
PPPoE traffic being sent at it.  I could see broadcast traffic being
forwarded, although arps and such are generally not that interesting.

Len Sorensen

Firewall question...

[V. A.H.]

[-- Attachment #1: Type: text/plain, Size: 980 bytes --]

Hello,
 
Considering the folowing network scheme:
 
Internet (Diffrent ISP) ------ Subnet Y (10.0.0.0/20)
                                                |
                                                |
                                                |
                                            (eth0)
                                           Firewall
                                            (eth1)
                                                |
                                                |
                                                |
                                        My Subnet(10.0.1.0/24) ------ Firewall/Router(SNAT) ------ Internet (My ISP).
 
I have to filter all traffic between Subnet Y and My Subnet with a firewall box. And I don't know how to forward this traffic between those two interfaces presented in this scheme.
 
Many thanx.


---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

[-- Attachment #2: Type: text/html, Size: 3470 bytes --]

Re: Firewall question...

[Antony Stone]

On Tuesday 30 March 2004 1:59 am, V. A.H. wrote:

> Hello,
>
> Considering the folowing network scheme:
>
> Internet (Different ISP)
>
> Subnet Y (10.0.0.0/20)
>
>  (eth0)
> Firewall
>  (eth1)
>
> My Subnet(10.0.1.0/24)
>
> Firewall/Router(SNAT)
>
> Internet (My ISP).
>
> I have to filter all traffic between Subnet Y and My Subnet with a firewall
> box. And I don't know how to forward this traffic between those two
> interfaces presented in this scheme.

You don't need to do anything special on the top firewall shown here - what 
you need to do is make sure the bottom firewall (which I assume is the 
default route for the machines in your Subnet 10.0.1.0/24) has a route for 
Subnet Y pointing to eth1 as the next hop.

The top firewall just needs to know about the two networks on either side of 
it, which is automatic under Linux - it will only need a default gateway of 
its own if it needs to contact the Internet for its own reasons (eg DNS?).

If this still isn;t quite clear to you, repost your diagram with all IP subnet 
addresses shown, and IP addresses for each interface.   Then I can give a 
clearer answer.

Regards,

Antony.

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall question...

[V. A.H.]

[-- Attachment #1: Type: text/plain, Size: 1064 bytes --]

Thx for your answer.
Still a little bit confused.
This is the scheme with ip addresses:
 
Internet (Different ISP)
        |
Subnet Y (10.0.0.0/20)
        |
(eth0)-10.0.1.254
Firewall
(eth1)-10.0.1.253
        |
My Subnet(10.0.1.0/24)
        |
(eth1)-10.0.1.1(default route for My Subnet)
Firewall/Router(SNAT)
(eth0)-some real ip address
        |
Internet (My ISP).

 
 
<<What you need to do is make sure the bottom firewall (which I assume is the 
default route for the machines in your Subnet 10.0.1.0/24) has a route for 
Subnet Y pointing to eth1 as the next hop.
The top firewall just needs to know about the two networks on either side of 
it, which is automatic under Linux - it will only need a default gateway of 
its own if it needs to contact the Internet for its own reasons (eg DNS?).>>
 
The top firewall box doesn't need to contact the Internet. Will have to forward packets between the interfaces and filter the traffic.
 
Best regards.



---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

[-- Attachment #2: Type: text/html, Size: 1602 bytes --]

Re: Firewall question...

[Antony Stone]

On Tuesday 30 March 2004 10:34 am, V. A.H. wrote:

> Thx for your answer.
> Still a little bit confused.
> This is the scheme with ip addresses:
>
> Internet (Different ISP)
>
> Subnet Y (10.0.0.0/20)
>
> (eth0)-10.0.1.254
> Firewall
> (eth1)-10.0.1.253

I'm not surprised you are a little bit confused if these IP addresses are 
accurate :)

Please confirm: is eth0 10.0.1.254, or 10.0.0.254?

And: you have one subnet 10.0.0.0/20, with another connected network 
10.0.1.0/24 (ie a subnet of the original network)???

This is going be difficult to sort out.

Hosts in Subnet Y are going to expect 10.0.1.0/24 addresses to be local, not 
via a router - the Firewall you've shown is going to have to do a lot of 
nasty proxy-arp'ing for this setup to work.

> My Subnet(10.0.1.0/24)
>
> (eth1)-10.0.1.1(default route for My Subnet)
> Firewall/Router(SNAT)
> (eth0)-some real ip address
>
> Internet (My ISP).

I recommend you start with two non-overlapping subnets.   If you cannot do 
that, you have some significant routing challenges to solve, before you get 
anywhere near setting up netfilter to block some of the otherwise routed 
packets.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Firewall question...

[V. A.H.]

[-- Attachment #1: Type: text/plain, Size: 1069 bytes --]

This is how the whole setup is looking for the moment:
 
Internet (Different ISP)
        |
Subnet Y (10.0.0.0/20)
        |
        |
My Subnet(10.0.1.0/24)
        |
(eth1)-10.0.1.1(default route for My Subnet)
Firewall/Router(SNAT)
(eth0)-some real ip address
        |
Internet (My ISP).


 
<<I'm not surprised you are a little bit confused if these IP addresses are 
accurate :)
Please confirm: is eth0 10.0.1.254, or 10.0.0.254?
And: you have one subnet 10.0.0.0/20, with another connected network 
10.0.1.0/24 (ie a subnet of the original network)???>>

10.0.0.0/20 is a metropolitan network; in order to access this network I have a /24 subnet available, 10.0.1.0 and the netmask for my clients is 255.255.240.0 (/20). As I mentioned before, I have to setup this firewall between metropolitan network and my clients. And I'm stuck :-) The network interfaces from my furure firewall (I hope) can take only an ip from my available /24 network.
 
Thank You.


---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

[-- Attachment #2: Type: text/html, Size: 1559 bytes --]

RE: Firewall Question

[mourik jan c heupink]

I agree. I have just setup my first iptables firewall, and it's really
not as difficult as it might seem.

I also doubted wether to use a special firewall program, or do it
myself. I eventually did it myself. The program I *would* have used
otherwise is shorewall. (http://www.shorewall.net)

Hope this helps.

Mourik Jan

On Wed, 2002-10-02 at 09:27, Stewart Thompson wrote:
> Hi:
> 
> 	I wasn't the original poster. I was just replying to Bishop.
> 
> Stu........
> 
> 
> -----Original Message-----
> From: mourik jan c heupink [mailto:heupink@intech.unu.edu]
> Sent: October 2, 2002 12:21 AM
> To: stewart.thompson@shaw.ca
> Subject: RE: Firewall Question
> 
> I agree. I have just setup my first iptables firewall, and it's really
> not as difficult as it might seem.
> 
> I also doubted wether to use a special firewall program, or do it
> myself. I eventually did it myself. The program I *would* have used
> otherwise is shorewall. (http://www.shorewall.net)
> 
> Hope this helps.
> 
> Mourik Jan
> 
> On Wed, 2002-10-02 at 03:26, Stewart Thompson wrote:
> > HI Luis:
> >
> >       I prefer to write a script by hand using the CLI.
> > Most modern Linux distributions include Iptables/Netfilter.
> > You can also control when it starts up, and include other
> > things in it like Stunnel set up, conditional rules etc. I
> > have not used any of the firewall front ends, but a GUI is
> > probably easier if you are new. The trouble I have is the
> > rules are hidden behind the GUI interface. There are lots
> > of good sample scripts on the net that you can modify for
> > your purposes. Plus, you will get a much more interment
> > knowledge of Iptables. Just my two cents worth.
> >
> > Stu.........
> >
> >
> >
> >
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bishop
> > Sent: October 1, 2002 5:04 PM
> > To: stewart.thompson@shaw.ca; HareRam; netfilter@lists.netfilter.org
> > Subject: Firewall Question
> >
> > Hello all,
> >
> >         I have  a question for you guys. I will installing a firewall on
> my
> > linux box soon. My question is would it be better for me to download a
> > firewall software off then net , or should I build my own firewall from
> > scratch. Let me know what you guys think, and which one would be better.
> >
> >
> > Thank you all
> >
> > --Luis
> >
> 

Re: Firewall Question

[Bishop]

Well right now I just finished installing red hat 8.0 so I should make my
own iptable for my firewall......



----- Original Message -----
From: "Cesar Farro Flores" <cesar.farro@telefonica-data.com.pe>
To: "Bishop" <bishop@pacbell.net>
Sent: Tuesday, October 01, 2002 5:45 PM
Subject: Re: Firewall Question



http://netfids.com/portal/software/RPMS/kernel-2.4.18-11netfids.i686.rpm
http://netfids.com/portal/software/RPMS/iptables-1.2.7a-1.i386.rpm
http://netfids.com/portal/software/RPMS/iptables-1.2.7a-1.i586.rpm
http://netfids.com/portal/software/RPMS/iptables-1.2.7a-1.i686.rpm
Download all it´.s






                      Bishop
                      <bishop@pacbell.net>            Para:
stewart.thompson@shaw.ca, HareRam <hareram@sol.net.in>,
                      Enviado por:
netfilter@lists.netfilter.org
                      netfilter-admin@lists.ne        cc:
                      tfilter.org                     Asunto:   Firewall
Question


                      01/10/2002 07:04 PM
                      Por favor, responda a

                      Bishop






Hello all,

        I have  a question for you guys. I will installing a firewall on my
linux box soon. My question is would it be better for me to download a
firewall software off then net , or should I build my own firewall from
scratch. Let me know what you guys think, and which one would be better.


Thank you all

--Luis

RE: transfer Bytes Counting

[Stewart Thompson]

Hi Hare:

	Always CC the list so that other people can
help you out as well. I don't do redirect with any of the machines
that I Administer. However, you seem to be loading a lot of modules
for the simple rules you are using. Perhaps you have plans for them
in the future. Hopefully Antony will jump in here and add to this advice.

	Make a user defined chain for each on of your subnets.
Also, if your looking for security, which you should be if this accesses
the Internet. Flush all your chains, and set your policies to DROP.
Anyway, getting back to your question. I was thinking of something like.

/sbin/iptables -N NET1CHAIN
/sbin/iptables -A NET1CHAIN -s 192.168.20.11 -j REDIRECT --to-port 3129
/sbin/iptables -A NET1CHAIN -s 192.168..20.22 - j REDIRECT --to-port 3129
/sbin/iptables -A NET1CHAIN -s 192.168.20.33 -j REDIRECT --to-port 3129

sbin/iptables -N NET2CHAIN
/sbin/iptables -A NET2CHAIN -s 192.168.3.11 -j REDIRECT --to-port 3129
/sbin/iptables -A NET2CHAIN -s 192.168.3.22 - j REDIRECT --to-port 3129
/sbin/iptables -A NET2CHAIN -s 192.168.3.33 -j REDIRECT --to-port 3129

/sbin/iptables -t nat -A PREROUTING -s 192.168.20.0/24 -p tcp --dport 80 -j
\
NET1CHAIN
/sbin/iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp --dport 80 -j \
NET2CHAIN
/sbin/iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
-------------------

	If this is going to be involved, there are applications that might
be better suited for keeping track of packets. Since it appears you are
redirecting
to a proxy. It may be a better place to do the packet counting. Hope that
helps.
	I am sure some other people will jump in with better suggestions.

Stu.........



-----Original Message-----
From: HareRam [mailto:hareram@sol.net.in]
Sent: October 1, 2002 2:14 AM
To: stewart.thompson@shaw.ca
Subject: Re: transfer Bytes Counting

Hi Stewart

thanks for ur responce, it really help full
but iam using like follow config
------------------------
m=modprobe
$m ip_conntrack_ftp
$m ip_conntrack_irc
$m ip_conntrack
$m ip_nat_ftp
$m ip_nat_irc
$m ip_queue
$m iptable_filter
$m iptable_mangle
$m iptable_nat
$m ip_tables
$m ipt_limit
$m ipt_LOG
$m ipt_mac
$m ipt_mark
$m ipt_MARK
$m ipt_MASQUERADE
$m ipt_MIRROR
$m ipt_multiport
$m ipt_owner
$m ipt_REDIRECT
$m ipt_REJECT
$m ipt_state
$m ipt_tcpmss
$m ipt_TCPMSS
$m ipt_tos
$m ipt_TOS
$m ipt_unclean
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -t nat -A PREROUTING -s 192.168.20.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE
-------------------

[root@catcable root]# iptables -L PREROUTING -n -v -t nat
Chain PREROUTING (policy ACCEPT 976 packets, 114K bytes)
 pkts bytes target     prot opt in     out     source
destination
  484 23232 REDIRECT   tcp  --  *      *       192.168.20.0/24
0.0.0.0/0          tcp dpt:80 redir ports 3129
    0     0 REDIRECT   tcp  --  *      *       192.168.3.0/24
0.0.0.0/0          tcp dpt:80 redir ports 3129
--------------

how do i see each ip bytes in and out , how can i insert command to each ip
traffic

iam using this for transparent proxy which is diverting to cache server
which is running on port 3129

thanks for the help in advance

hare


----- Original Message -----
From: "Stewart Thompson" <stewart.thompson@shaw.ca>
To: "HareRam" <hareram@sol.net.in>; <netfilter@lists.netfilter.org>
Sent: Tuesday, October 01, 2002 2:11 PM
Subject: RE: transfer Bytes Counting


> Hi Hare:
>
> Here is one way that was originally suggested by Antony Stone on the list.
>
> <Begin Quote>
>
> In my FORWARD chain, instead of ACCEPTing packets which are ESTABLISHED or
> RELATED, I send them to a user-defined chain called for example PKTCOUNT
>
> Then the PKTCOUNT chain contains rules like this:
>
> iptables -A PKTCOUNT -s 11.22.33.44 -j ACCEPT
> iptables -A PKTCOUNT -s 11.22.33.55 - j ACCEPT
> iptables -A PKTCOUNT -s 11.22.33.66 -j ACCEPT
>
> and so on, for each of the IP addresses you're interested in.   You could
of
> course use -d if you're more interested in destination addresses, or use
> both.
>
> Then the command iptables -L PKTCOUNT -n -v will show you the number of
> packets and the number of bytes which have matched on each rule in this
> chain
> - ie the number which matched each IP address.
>
> I actually have a cron job to do this once a minute and record all the
> numbers to an IP log file, which I can then parse with a Perl program to
> produce some pretty graphs. I'm sure mrtg could do this if you wanted to
> use that instead.
>
> I guess if you've already created a set of SNAT or DNAT rules to do the
> translations you want, then you probably don't even need to create the
> PKTCOUNT chain - just try doing iptables -L PREROUTING -n -v -t nat and it
> will tell you how many packets and bytes got translated by each rule.
>
> <End Quote>
>
> Hope that helps.
>
> Stu....
>
>
>
>
>
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of HareRam
> Sent: September 30, 2002 10:12 PM
> To: netfilter@lists.netfilter.org
> Subject: transfer Bytes Counting
>
> Hi all
>
> iam using IPtables since long
> now i have new requirement in my network
> i sould like to count tranfer bytes In/Out for individual IP or MAC
address
> could any give me small examples, how can i do this rather i achive this
>
> thanks in advance
>
> hare
>
>
>

Firewall Question

[Bishop]

Hello all,

        I have  a question for you guys. I will installing a firewall on my
linux box soon. My question is would it be better for me to download a
firewall software off then net , or should I build my own firewall from
scratch. Let me know what you guys think, and which one would be better.


Thank you all

--Luis

RE: Firewall Question

[Stewart Thompson]

HI Luis:

	I prefer to write a script by hand using the CLI.
Most modern Linux distributions include Iptables/Netfilter.
You can also control when it starts up, and include other
things in it like Stunnel set up, conditional rules etc. I
have not used any of the firewall front ends, but a GUI is
probably easier if you are new. The trouble I have is the
rules are hidden behind the GUI interface. There are lots
of good sample scripts on the net that you can modify for
your purposes. Plus, you will get a much more interment
knowledge of Iptables. Just my two cents worth.

Stu.........




-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Bishop
Sent: October 1, 2002 5:04 PM
To: stewart.thompson@shaw.ca; HareRam; netfilter@lists.netfilter.org
Subject: Firewall Question

Hello all,

        I have  a question for you guys. I will installing a firewall on my
linux box soon. My question is would it be better for me to download a
firewall software off then net , or should I build my own firewall from
scratch. Let me know what you guys think, and which one would be better.


Thank you all

--Luis

RE: Firewall Question

[Rowan Reid]

> 
>         I have  a question for you guys. I will installing a 
> firewall on my linux box soon. My question is would it be 
> better for me to download a firewall software off then net , 
> or should I build my own firewall from scratch. Let me know 
> what you guys think, and which one would be better.

I'm fairly new to firewall, my last successful attepmed was using
Iptables, and the Strong Firewall script as a template. After learning
more about IPTables I definitely say start with a proven script then
follow It line for line making sure you understand it.


http://www.e-infomax.com/ipmasq/howto/c-html/stronger-firewall-examples.
html#RC.FIREWALL-2.4.X-STRONGER