[wellylug] Success !

Brian Boutel brian at boutel.co.nz
Wed Oct 25 14:38:56 NZDT 2000 

geoff.burch at telecom.co.nz wrote:
> 
> Thanks Jamie for the tips.
> 
> Got my CoyoteLinux box finally working.
> 
> Is there any info around on what it actually does? i.e. what services
> it allows and disallows?
> 
> Just seems a bit funny that I have set this up and don't actually
> know what benefit it is providing me.
> 
> Cheers Geoff
>

I built one, too, and used it for a few days while I updated my regular
firewall. It worked nicely.

As set up, it doesn't allow any services. There are no services running
on the machine, so there is nowhere to send received packets to.
Requests originating from the Internet are normally rejected, except
that the latest version can be configured to accept telnet connections,
so that you can do remote administration.

What it does do is to masquerade outgoing connections so that they look
as though they originate at the firewall (your real ip address), and
accept responses to outgoing packets and forward them to the originating
machine.

You may want to do some filtering of outgoing packets to prevent certain
things leaking out. Netbios packets should not get out, or you could be
extending your private network to the world, so blocking ports 137-139
is useful. This can be done with ipchains. It may be that Coyote blocks
these anyway, but better safe than sorry. You may also want to use
ipchains to block other connections from outside, but this is probably
unnecessary, as they will just get dropped by Coyote anyway. And they
may also be blocked by your cable modem.

If you are running any services on servers in your internal network,
DNS, sendmail, or www, for example, then you can allow extrnal
connections through the firewall to those services, by setting up port
forwarding on the firewall with ipmasqadm. This only works for
connections to these services from the Internet, and not from your
internal network, which is a nuisance[1]. It's for that reason that I'm
not using Coyote permanently. I have built a system with the test
version of the 2.4.0 kernel, which contains new netfilter code, and am
using iptables to set up filtering (firewall) and nat (masquerading and
forwarding), This is much more flexible that the 2.2 code (with
ipchains/ipmasqadm), and lets me do what I want.


[1] Of course you can directly address the server by its internal
address, but you can't use the public ip address that an outside client
would use. The problem is that a packet forwarded by the firewall to the
server will still have a source address of an internal machine on your
network, and the server's response will be routed directly back to the
client, not through the firewall. The client will not recognise this as
a response to its message, and will ignore it. What is needed is to
masquerade (change the source address of the packet to the firewall
address) as well as to forward it, but the 2.2 code will not allow both
operations on the same packet. Fortunately, 2.4 and iptables does allow
it. There is a program (redir) that you can use with 2.2 kernels that
allows internal forwarding, but not quite this. 

--brian

More information about the wellylug mailing list