iptables firewall
Anton Markov
anton-F0u+EriZ6ihBDgjK7y7TUQ at public.gmane.org
Fri Jan 30 13:19:15 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jeremy,
Jeremy Wakeman wrote:
> There are no errors output when the script is run, unless I uncomment
> the rules for the mangle tables (which don't work because the required
> kernel module is not inserted???). As I said, everything *seems* to
> work: internal network computers can access web pages, http server is
> visible from the internet, and the dmz server can ping but not nmap the
> internal network.
>
> Anything I forgot to mention?
Well, the idea of a DMZ is to protect the local network against
intrusions. Therefore, make sure the DMZ can't access the internal
network OR the firewall (IPTables) allow you to allow FORWARDing
packets, while blocking those directed right at the machine. I don't
know why you want the DMZ to ping the local network, but I don't think
it's much of a security risk (although the latest trend is to block all
pings comming in from any hostile environment [internet, etc.]).
Also, try pinging and NMAPing your network from another net connection
and make sure that only the server is visible (the firewall should be
invisible to the outside world, I think).
- --
Anton Markov <("anton" + "@" + "truxtar" + "." + "com")>
GnuPG Key fingerprint =
5546 A6E2 1FFB 9BB8 15C3 CE34 46B7 8D93 3AD1 44B4
*** LINUX - MAY THE SOURCE BE WITH YOU! ***
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAGlnaRreNkzrRRLQRAnYsAJ4zLzXSeabigcqEHMA4Pf8Sj3awjQCgnFNY
K94mR9possY72e1/hRN1iaM=
=3ft5
-----END PGP SIGNATURE-----
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list