I bypassed my own firewall (+ I'm stupid about "limit")

Paul Rusty Russell Paul.Russell@rustcorp.com.au
Thu, 30 Sep 1999 18:37:29 +0930


In message <199909300836.BAA04556@mersenne.com.> you write:
> Of course, I don't know whether the sense of the limit is "match
> packets UNDER the limit" or "match packets OVER the limit", so those
> rules may end up not logging anything unless there's a whole bunch of
> 'em -- I assume that's why you said "limit should take a ! flag."

Under the limit.  It starts open and chokes off, which seemed more
logical to me.  TODO: Document.

Um, looking at your example, two things strike me:
1) Do `set -e' at the top so the script aborts if any command fails.
2) I think you want to filter in the FORWARD chain.

INPUT is now for packets destined for the local box only!

> Second, private machines that attempt to access private services
> through the public address fail because I've done an incomplete job of
> setting up the forwarding.  What happens (tcpdumping the private
> ethernet) is: private-a sends a packet to public-svc, and the firewall
> modifies the packet and retransmits so that it goes to private-b,
> where the service actually resides.  However, the source address is
> still private-a, so private-b responds directly to private-a, which
> ignores the response.  This is exactly what you warn about in the
> HOWTO: packets must go through the firewall in both directions or
> things won't work.  I just don't know how to get them to do it.

It's a damn good question, actually.  Port forwarding had the same
problem and the answer was `don't do that'.  8-).

Will think hard about this, and whether the pain of reintroducing
double-mangling is worth it.

Rewrite NAT?  Hell, I didn't have anything better to do 8-)
Rusty.
--
Hacking time.