I bypassed my own firewall (+ I'm stupid about "limit")
Paul Rusty Russell
Thu, 30 Sep 1999 18:37:29 +0930
In message <199909300836.BAA04556@mersenne.com.> you write:
> Of course, I don't know whether the sense of the limit is "match
> packets UNDER the limit" or "match packets OVER the limit", so those
> rules may end up not logging anything unless there's a whole bunch of
> 'em -- I assume that's why you said "limit should take a ! flag."
Under the limit. It starts open and chokes off, which seemed more
logical to me. TODO: Document.
Um, looking at your example, two things strike me:
1) Do `set -e' at the top so the script aborts if any command fails.
2) I think you want to filter in the FORWARD chain.
INPUT is now for packets destined for the local box only!
> Second, private machines that attempt to access private services
> through the public address fail because I've done an incomplete job of
> setting up the forwarding. What happens (tcpdumping the private
> ethernet) is: private-a sends a packet to public-svc, and the firewall
> modifies the packet and retransmits so that it goes to private-b,
> where the service actually resides. However, the source address is
> still private-a, so private-b responds directly to private-a, which
> ignores the response. This is exactly what you warn about in the
> HOWTO: packets must go through the firewall in both directions or
> things won't work. I just don't know how to get them to do it.
It's a damn good question, actually. Port forwarding had the same
problem and the answer was `don't do that'. 8-).
Will think hard about this, and whether the pain of reintroducing
double-mangling is worth it.
Rewrite NAT? Hell, I didn't have anything better to do 8-)