From: Greg Stewart (stewartg@ifrance.com)
Date: Tue May 22 2001 - 06:22:59 PDT
Um...yeah, what Joel said.
Sorry I wasn't more descriptive.
If you take a look at the /usr/local/pmfirewall/pmfirewall.rules.local file,
you will see all the rules the pmfirewall script sets by default. The
"$IPCHAINS -A" at the beginning of each line calls /sbin/ipchains (as a
variable set in pmfirewall.conf) to append the rule onto the list. This
occurs in all the rules set up with pmfirewall's install script, so you can
safely assume that if you follow the rules in order, you're reading them in
the order they exist for your firewall.
If you look in /usr/local/pmfirewall/pmfirewall.conf, you will see the
variables and what they correspond to. This is set up during the install
script.
/usr/local/pmfirewall/pmfirewall is the script that is executed, and calls
the ~rules.1, ~rules.local, and ~rules.masq files. Any changes you make
should be stuck into the ~rules.local file.
Let me know if this helps with an understanding of the scripts. Or, if I can
confuse you some more, just say go. :-)
--Greg
----- Original Message -----
From: "MaD MaN" <joelf@ptd.net>
> The line you have there 0/0 means either -s 0/0 or -d 0/0. What that is
saying
> is any source ip or destination ip. The script blocks internal numbers
off the
> bat for anti spoofing, meaning you firewall will not accept any internal
ip
> numbers on its outside interface. As far as Samba is concerned you do not
want
> that to be open to the outside world at all. Do not worry about writing
any
> rules for it. You should not have any problem with it at all. The basic
syntax
> for writing rules is the following. Say you want to allow ssh to your
firewall
> from anywhere on te net.
>
> ipchains -I input -s 0/0 -d 0/0 22 -p tcp -j ACCEPT
>
> joel
>
> Subzero wrote:
>
> > Masquerading is working prefect. What is 0.0.0.0/0 mean? What do you
> > mean that the script is blocking 192.168.x.x? I am little confused what
you
> > are saying about samba? I only want samba shared for the internal net. I
am
> > having trouble open up ports. Thanks for the help.
> >
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:41:38 PDT