Thread: [Firestarter-user] another question about multiple interfaces
Brought to you by:
majix
From: <rm....@ja...> - 2011-10-31 01:01:41
|
(New list subscriber--Googled but came up empty--didn't find a way to search the list archives.) I'm trying to set up something like an LTSP situation: one machine with eth0 connected to the outside world (through a NAT box, of course) and eth1 connected to some small client machines. The client machines will run only a VNC client, JACK (for audio), and maybe something to do USB over IP. I need to allow traffic over eth1 but _NOT_ do forwarding. On the Firestarter website, I saw mention from 2005 that a new version was being developed to support multiple interfaces. Is there any news since six years ago on that topic? I had things set up that I thought would work, with eth0 marked as the external interface and eth1 as the internal interface but with no sharing. However, the INBOUND and OUTBOUND chains are operative only over eth0 ($IF in the scripts). With Firestarter 1.0.3 on Mageia 1, I see the rules for INBOUND and OUTBOUND chains at lines 408 and 419 of 'firewall'. As a quick-and-dirty hack until something else better comes along, would there be anything too seriously dangerous about adding a IFHACK variable to inbound/setup and outbound/setup and making copies of those two lines using $IFHACK instead of $IF? Is there a better way to allow traffic over my eth1? Thanks, Robert spa...@ja... (Yes, that is one of my valid email addresses.) |
From: Mark L. W. <ma...@al...> - 2011-10-31 13:51:29
|
Without modifying firestarter scripts at all, you could add the IPCHAINS rules in user-pre (or user-post) $IPT -A INPUT -s 192.168.10.0/24 -i eth1 -j ACCEPT $IPT -A OUTPUT -d 192.168.10.0/24 -o eth1 -j ACCEPT (Substitute your internal net address of course!) Mark On 10/30/2011 9:01 PM, Robert M. Riches Jr. wrote: > (New list subscriber--Googled but came up empty--didn't find a > way to search the list archives.) > > I'm trying to set up something like an LTSP situation: one > machine with eth0 connected to the outside world (through a NAT > box, of course) and eth1 connected to some small client machines. > The client machines will run only a VNC client, JACK (for audio), > and maybe something to do USB over IP. I need to allow traffic > over eth1 but _NOT_ do forwarding. > > On the Firestarter website, I saw mention from 2005 that a new > version was being developed to support multiple interfaces. Is > there any news since six years ago on that topic? > > I had things set up that I thought would work, with eth0 marked > as the external interface and eth1 as the internal interface but > with no sharing. However, the INBOUND and OUTBOUND chains are > operative only over eth0 ($IF in the scripts). > > With Firestarter 1.0.3 on Mageia 1, I see the rules for INBOUND > and OUTBOUND chains at lines 408 and 419 of 'firewall'. As a > quick-and-dirty hack until something else better comes along, > would there be anything too seriously dangerous about adding a > IFHACK variable to inbound/setup and outbound/setup and making > copies of those two lines using $IFHACK instead of $IF? > > Is there a better way to allow traffic over my eth1? > > Thanks, > > Robert > spa...@ja... > (Yes, that is one of my valid email addresses.) > > ------------------------------------------------------------------------------ > Get your Android app more play: Bring it to the BlackBerry PlayBook > in minutes. BlackBerry App World™ now supports Android™ Apps > for the BlackBerry® PlayBook™. Discover just how easy and simple > it is! http://p.sf.net/sfu/android-dev2dev > _______________________________________________ > Firestarter-user mailing list > To unsubscribe, visit https://lists.sourceforge.net/lists/listinfo/firestarter-user > -- Mark L. Wise Alpha II Service, Inc. 1312 Epworth Ave Reynoldsburg, Ohio 43068-2116 USA Office: (614) 868-5033 Fax: (614) 868-1060 Email: ma...@al... WEB: www.alpha2.com "People do not quit playing because they grow old; they grow old because they quit playing." Oliver Wendell Holmes -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. |
From: <rm....@ja...> - 2011-11-01 02:40:45
|
Thank you!!! That will undoubtedly do the trick! Robert > Date: Mon, 31 Oct 2011 09:49:43 -0400 > From: "Mark L. Wise" <ma...@al...> > To: fir...@li... > > Without modifying firestarter scripts at all, you could add the IPCHAINS > rules in user-pre (or user-post) > > $IPT -A INPUT -s 192.168.10.0/24 -i eth1 -j ACCEPT > $IPT -A OUTPUT -d 192.168.10.0/24 -o eth1 -j ACCEPT > > (Substitute your internal net address of course!) > > Mark > > On 10/30/2011 9:01 PM, Robert M. Riches Jr. wrote: > > (New list subscriber--Googled but came up empty--didn't find a > > way to search the list archives.) > > > > I'm trying to set up something like an LTSP situation: one > > machine with eth0 connected to the outside world (through a NAT > > box, of course) and eth1 connected to some small client machines. > > The client machines will run only a VNC client, JACK (for audio), > > and maybe something to do USB over IP. I need to allow traffic > > over eth1 but _NOT_ do forwarding. > > > > On the Firestarter website, I saw mention from 2005 that a new > > version was being developed to support multiple interfaces. Is > > there any news since six years ago on that topic? > > > > I had things set up that I thought would work, with eth0 marked > > as the external interface and eth1 as the internal interface but > > with no sharing. However, the INBOUND and OUTBOUND chains are > > operative only over eth0 ($IF in the scripts). > > > > With Firestarter 1.0.3 on Mageia 1, I see the rules for INBOUND > > and OUTBOUND chains at lines 408 and 419 of 'firewall'. As a > > quick-and-dirty hack until something else better comes along, > > would there be anything too seriously dangerous about adding a > > IFHACK variable to inbound/setup and outbound/setup and making > > copies of those two lines using $IFHACK instead of $IF? > > > > Is there a better way to allow traffic over my eth1? > > > > Thanks, > > > > Robert > > spa...@ja... > > (Yes, that is one of my valid email addresses.) > > > > ------------------------------------------------------------------------------ > > Get your Android app more play: Bring it to the BlackBerry PlayBook > > in minutes. BlackBerry App World™ now supports Android™ Apps > > for the BlackBerry® PlayBook™. Discover just how easy and simple > > it is! http://p.sf.net/sfu/android-dev2dev > > _______________________________________________ > > Firestarter-user mailing list > > To unsubscribe, visit https://lists.sourceforge.net/lists/listinfo/firestarter-user > > > > -- > Mark L. Wise > > Alpha II Service, Inc. > 1312 Epworth Ave > Reynoldsburg, Ohio 43068-2116 > USA > > Office: (614) 868-5033 > Fax: (614) 868-1060 > Email: ma...@al... > WEB: www.alpha2.com > > "People do not quit playing because they grow old; they grow old because > they quit playing." > > Oliver Wendell Holmes > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ------------------------------------------------------------------------------ > Get your Android app more play: Bring it to the BlackBerry PlayBook > in minutes. BlackBerry App World™ now supports Android™ Apps > for the BlackBerry® PlayBook™. Discover just how easy and simple > it is! http://p.sf.net/sfu/android-dev2dev > _______________________________________________ > Firestarter-user mailing list > To unsubscribe, visit https://lists.sourceforge.net/lists/listinfo/firestarter-user |