iptables firewall

[Jeremy Wakeman]

On Fri, Jan 30, 2004 at 08:19:15AM -0500, Anton Markov wrote:
<snip> 
> Well, the idea of a DMZ is to protect the local network against
> intrusions.  Therefore, make sure the DMZ can't access the internal
> network OR the firewall (IPTables) allow you to allow FORWARDing
> packets, while blocking those directed right at the machine.  I don't
> know why you want the DMZ to ping the local network, but I don't think
> it's much of a security risk (although the latest trend is to block all
> pings comming in from any hostile environment [internet, etc.]).
> 
> Also, try pinging and NMAPing your network from another net connection
> and make sure that only the server is visible (the firewall should be
> invisible to the outside world, I think).
<snip>

Yes, the firewall cannot be accessed from the DMZ.  Now that you mention
it, allowing pings from DMZ to internal network is kind of silly.  I'll
stop that.

I've done a tcp pingscan of the system: no info comes back.  I don't
have root priv anywhere to try the more exotic stuff.  It looks like
the firewall should be invisible because there are no connections
allowed to it except from internal network.

-Jeremy

-- 

Jeremy John Wakeman
www.polarhome.com/~cael
linux registered user #125171
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml