Re: Newby

Re: Newby

[Don Hughes]

On Monday 27 December 2004 09:03, calvin@dslextreme.com wrote:
Thanks to Jason, Kassad and Askar for responding to my email. 
I've only played with RedHat before, and mostly forced myself to 
use command line than the GUI interface. Maybe its time to try 
other Linux flavor. Now, this FW I want to setup for my home 
network, I would like the least software loaded on this as this 
is a 32MB, PII 266, 2.5GB computer. I am thinking IPTABLES, 
Tripwire, SNORT, or will that be too much for this machine ? 
Related to this, where can I find information of those required
to load during OS installation for these 3 apps to work.

I know that SuSE has a minimal installation option that will 
easily fit on your drive. Without the gui 266 should be more than 
fast enough since your internet connection will be the slowest 
link. RAM could be tight though. SuSE offers a text based 
installation for PCs with RAM/Video limits. You can select the 
minimal installation option then hand pick any other files you 
wish to add/delete. It uses RPM packages so it will check for 
dependencies 
before it loads files. Worth a look...


I used to run the SuSE text based system on a similar system 
without any problem.  I used the SuSE YAST2 installer, deleted 
everything, added back IPTABLES, Tripwire, SNORT, rsync, and my 
favorite editor and had it solve dependencies.  With all the 
libraries/utilities/etc it installed about 170 RPM packages.  
Excluding swap and temp space, it took about 600Meg of disk 
space.



-- 
..don

dhughes@microtechniques.com
White Plains, NY

Re: INPUT or FORWARD;;

[Jason Opperisano]

On Mon, 2004-12-20 at 02:10, R. DuFresne wrote:
> I see in the FAQ on the netfilter website this under  section 7.3
> FILTERING SPECIFICATIONS;
> 
> <quote>
> 
> Specifying an Interface
> 
> ...
> 
>  Packets traversing the INPUT chain don't have an output interface,
>           so any rule using `-o' in this chain will never match.
> 	  Similarly, packets traversing the OUTPUT chain don't have an
> 	  input interface, so any rule using `-i' in this chain will never
> 	  match.
>  Only packets traversing the FORWARD chain have both an input and
>           output interface.
> 
> 
> </quote>
> 
> 
> My question is this, and it may well have been answered many times
> already, I'll take the slap to the back of the head if it's one of the
> common list questions that folks tend to get irritated in repeatedly
> answering;
> 
> A multi-homed firewall having at least two interfaces, is known, at least
> to itself by those IP/hostnames combos assinged to its interfaces.  <i.e.
> ppp0 and eth0>  So say rules coming from the ppp0 interface into the
> firewall <INPUT rules> are directed to it's other name/interface
> 
> -i /dev/ppp0 -d /dev/eth0

well--those values make no sense whatsoever, but if you're asking if the
following is valid:

  iptables -A INPUT -i ppp0 -d $IP_OF_ETH0 -j ACCEPT

then yes.  the INPUT chain is traversed by packets destined for a local
process (IP addresses).  the input interface is just a tag attached to
the packet.

-j

--
"If I wanted smoke blown up my ass, I'd be at home with a pack of
 cigarettes and a short length of hose."
	--The Simpsons

RE: INPUT or FORWARD;;

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
>> A multi-homed firewall having at least two interfaces, is known, at
>> least to itself by those IP/hostnames combos assinged to its
>> interfaces.  <i.e. ppp0 and eth0>  So say rules coming from the ppp0
>> interface into the firewall <INPUT rules> are directed to it's other
>> name/interface 
>> 
>> -i /dev/ppp0 -d /dev/eth0
> 
> well--those values make no sense whatsoever, but if you're
> asking if the following is valid:
> 
>   iptables -A INPUT -i ppp0 -d $IP_OF_ETH0 -j ACCEPT
> 
> then yes.  the INPUT chain is traversed by packets destined
> for a local process (IP addresses).  the input interface is
> just a tag attached to the packet.

I'm not sure I understand this :
I agree it's a valid rule (syntax), but I don't think it will ever match
a packet.

If -i and -d are specified, they both have to match to accept a packet,
right ?
Because <ip_eth0> is not assigned to ppp0, how can -i ppp0 -d <ip_eth0>
ever match for the INPUT chain ?


Gr,
Rob

Newby

[calvin]

Hi All,

I am setting up a FW using IPTABLES. I played with it when RedHat was 7.x
and stopped using it (Linux and IPTABLES) for a long while now. Back then
I modify the file directly to suit my need, I tried recently RedHat 9.0
and would not allow me to modify it directly.

I heard that RedHat stopped providing freeware Linux or that they have a
different version that provide freeware. My question is what freeware
Linux could I install that will allow me to easily install IPTABLES and
would provide me flexibility to modify the rules easily.

Thanks

Re: Newby

[Jason Opperisano]

On Sun, 2004-12-26 at 14:04, calvin@dslextreme.com wrote:
> Hi All,
> 
> I am setting up a FW using IPTABLES. I played with it when RedHat was 7.x
> and stopped using it (Linux and IPTABLES) for a long while now. Back then
> I modify the file directly to suit my need, I tried recently RedHat 9.0
> and would not allow me to modify it directly.
> 
> I heard that RedHat stopped providing freeware Linux or that they have a
> different version that provide freeware. My question is what freeware
> Linux could I install that will allow me to easily install IPTABLES and
> would provide me flexibility to modify the rules easily.
> 
> Thanks

the "free" version of redhat is called fedora core.  the current version
is 3, it is based on a 2.6.9 kernel.

  http://fedora.redhat.com/

a good way to start with netfilter would be to check out:

  http://iptables-tutorial.frozentux.net/iptables-tutorial.html

welcome back.

-j

--
"Weaseling out of things is important to learn. It's what separates
 us from the animals...except the weasel."
	--The Simpsons