some ipfilter questions

From: Martynas Buozis (martynas@ti.com)
Date: Wed Mar 19 2003 - 08:46:01 EST

• Next message: DAUBIGNE Sebastien - BOR ( SDaubigne@bordeaux-bersol.sema.slb.com ): "UFS direct I/O"
• Previous message: Osama Omar: "unconfiguring a mail server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello

I am not very experienced in using ipfilter, so I got several questions.
Sorry if these look like ones from FAQ, but I was not able find answer
on FAQ or mailing list archives. So I hope someone will have some
comments about these.

1. On all examples rules use "flags S/SA" to check for incoming
connections. Why not "flags S" ? Also same for established connections
suggestion is to use "flags A/A". Why not "flags A" ?

2. I have rules :

pass out quick all keep state
block in log all head 110
pass in log quick proto icmp from any to any icmp-type echo group 110
pass in log quick proto tcp from any to any port = 22 flags S keep state
group 110

So I supposed, that all outgoing connections should pass without
problems ("keep state" points to that) while incoming connections will
allow only ping replies and ssh connection.

But actually some services are not working without additional rule

pass in log quick proto tcp all flags A group 110

Output from snoop is :

client -> server TCP D=2049 S=1023 Syn Seq=66604823 Len=0 Win=49640
options=<mss 1460,nop,nop,sackOK>

server -> client TCP D=1023 S=2049 Ack=20849184 Seq=3786225728
Len=0 Win=8760

3. My intention is to protect machine, not establish firewall between
public/private nets. I am going to block incoming services by default
and allow only authorized ones (like ssh for example) and allow run
transparently all outgoing service requests. My question is - is there
set of rules to allow NIS, NFS and related services requests to pass in
for client (now I allow all UDP traffic from NIS/NFS servers) ? Does
anybody has set of rules to share with me for usage on NFS and NIS
servers to serve NFS and NIS related services only ?

Thank you in advance for your help. I will also appreciate not quick
solutions, but possible links to documents on the web and other
available information about.

With best regards
Martynas

[demime 0.99c.7 removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: DAUBIGNE Sebastien - BOR ( SDaubigne@bordeaux-bersol.sema.slb.com ): "UFS direct I/O"
• Previous message: Osama Omar: "unconfiguring a mail server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:01 EDT