pass in and out to what interface?
hey all!
i am using ipfilter in a linux machine with two interfaces. lets say that eth1 is going to the Internet and eth0 to my local lan. I am thinking to put some rules on my eth1 with thepass in command so that i can block/allow requests from clients to my server inside the lan. where should i put the rules for server's reply to the clients? Would it be better to use a pass in rule to my eth0 interface or a pass out rule to my eth1 interface and why? a little sketch would be like this server----------eth0[ipfilter]eth1--------[router]-----internet.. thanks a lot!! |
ps. does a "block all" cover me from block in all and block out all? is in and out mandatory or optional using the ipfilter?
|
i'm not familiar with ipfilter, but as a technology in itself, you'd use stateful connection tracking to allow replies to previously accepted traffic to pass back out without interference.
check section 3.2 here http://www.obfuscation.org/ipf/ipf-howto.txt |
Quote:
i have checked the documentation but it does not provide any relevant info...and i consider it a very simple question that may not be tied with the ipfilter itself... any more thoughts? |
stateful connections ARE simple these days. from what you've described, it's THE way to do it.
|
Not familiar with YOUR setup or YOUR filter. As a mathematical model, YOUR equation is a tool. The sooner YOU implement filtering, the sooner the big problem becomes a smaller problem. In english, this means that by placing the filter as close as possible to the beginning, the less time and work the model/equation has to perform. If YOUR sending an e-mail to a Family member, the milisecond doesn't matter much. If YOUR sending a newsletter to 1.9 x 106 of our Linux friends, than those factors of work and time are important to YOU. It will work, as long as YOUR filter is before YOUR server output packets. If after YOUR server, the big bad internet is coming after YOUR packets. YES it will.
|
Quote:
|
All times are GMT -5. The time now is 07:03 AM. |