LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   pass in and out to what interface? (https://www.linuxquestions.org/questions/linux-networking-3/pass-in-and-out-to-what-interface-540078/)

alaios 03-23-2007 09:27 PM
pass in and out to what interface?
 
hey all!

i am using ipfilter in a linux machine with two interfaces. lets say that eth1 is going to the Internet and eth0 to my local lan. I am thinking to put some rules on my eth1 with thepass in command so that i can block/allow requests from clients to my server inside the lan. where should i put the rules for server's reply to the clients? Would it be better to use a pass in rule to my eth0 interface or a pass out rule to my eth1 interface and why?

a little sketch would be like this


server----------eth0[ipfilter]eth1--------[router]-----internet..


thanks a lot!!

alaios 03-23-2007 10:21 PM
ps. does a "block all" cover me from block in all and block out all? is in and out mandatory or optional using the ipfilter?

acid_kewpie 03-24-2007 07:39 AM
i'm not familiar with ipfilter, but as a technology in itself, you'd use stateful connection tracking to allow replies to previously accepted traffic to pass back out without interference.

check section 3.2 here http://www.obfuscation.org/ipf/ipf-howto.txt

alaios 03-24-2007 11:51 AM
Quote:
Originally Posted by acid_kewpie
i'm not familiar with ipfilter, but as a technology in itself, you'd use stateful connection tracking to allow replies to previously accepted traffic to pass back out without interference.

check section 3.2 here http://www.obfuscation.org/ipf/ipf-howto.txt
hm, i would like to keep things as simple as possible and i do not want to use statuful connections. i have only udp packets passing for one service...i am just wondering whether should i place the reply of my server (in my internal lan) to a rule passing in the eth0, or passing out eth1 going to the Internet (please see the sketch above)

i have checked the documentation but it does not provide any relevant info...and i consider it a very simple question that may not be tied with the ipfilter itself...

any more thoughts?

acid_kewpie 03-24-2007 12:01 PM
stateful connections ARE simple these days. from what you've described, it's THE way to do it.

UhhMaybe 04-02-2007 05:23 PM
Not familiar with YOUR setup or YOUR filter. As a mathematical model, YOUR equation is a tool. The sooner YOU implement filtering, the sooner the big problem becomes a smaller problem. In english, this means that by placing the filter as close as possible to the beginning, the less time and work the model/equation has to perform. If YOUR sending an e-mail to a Family member, the milisecond doesn't matter much. If YOUR sending a newsletter to 1.9 x 106 of our Linux friends, than those factors of work and time are important to YOU. It will work, as long as YOUR filter is before YOUR server output packets. If after YOUR server, the big bad internet is coming after YOUR packets. YES it will.

acid_kewpie 04-03-2007 01:46 AM
Quote:
Originally Posted by UhhMaybe
Not familiar with YOUR setup or YOUR filter. As a mathematical model, YOUR equation is a tool. The sooner YOU implement filtering, the sooner the big problem becomes a smaller problem. In english, this means that by placing the filter as close as possible to the beginning, the less time and work the model/equation has to perform. If YOUR sending an e-mail to a Family member, the milisecond doesn't matter much. If YOUR sending a newsletter to 1.9 x 106 of our Linux friends, than those factors of work and time are important to YOU. It will work, as long as YOUR filter is before YOUR server output packets. If after YOUR server, the big bad internet is coming after YOUR packets. YES it will.
you have replied to the wrong thread... right?


All times are GMT -5. The time now is 07:03 AM.