[Pfilter-users] Re: [Oscar-users] Problem of Pfilter config. Help!

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

At 09:27 PM 10/25/2002 -0400, Weirong Zhu wrote:
>    I set
>===================================================
>    INTERNAL eth1   # inside network interface
>    FILTERED eth0   # outside
>
>    open tcp ssh
>===================================================

pfilter classifies interfaces two ways:

FILTERED or UNFILTERED
(any connection is allowed from UNFILTERED interfaces)

PROTECTED or UNPROTECTED
(PROTECTED interfaces get their outgoing connections Network Address 
Translated)
Depending on which version of pfilter you have, setting an interface as
INTERNAL may set the

Setting an interface as INTERNAL will always set it as PROTECTED.
But INTERNAL interfaces, depending on which version of pfilter is being
used may be set as FILTERED or UNFILTERED.

I would advise using something like this:

PROTECTED eth1       # inside network gets NAT style packet forwarding
UNFILTERED eth1       # inside network is allowed any connection to this 
machine
UNPROTECTED eth0   # outside network is not NATTED
FILTERED eth0            # outside network connections not allowed by default
open    ssh                   # allow ssh connection to this machine from 
anywhere
nologging                     # don't fill syslog up with packet rejection 
notices

or better yet, something like what OSCAR installs:

# define the main OSCAR server
%define oscar_server ia32.ncsa.uiuc.edu
# define the OSCAR compute nodes (this is updated when
# compute nodes are added or taken away)
%define nodes ia32c1 ia32c2 ia32c3 ia32c4
# We don't want future pfilter updates to merge commented out
# new types of configuration directives when pfilter is upgraded.
nomerge
# We don't trust anyone anywhere on any interface by default
untrusted  interfaces  all
# We don't want to fill up system log files with packet
# rejection messages
nologging
# Be nice and reject, rather than drop, unwanted packets
reject
# the server gets ssh and http opened up
open    tcp     ssh http https
# the server needs to be listed as a dhcp server for the nodes
# because opening up that service requires opening up some
# broadcast stuff as well, so simply listing the nodes as
# trusted is not sufficient
open    dhcp    on      eth1
# the server trusts itself and every compute node
trusted %oscar_server% %nodes%
open    multicast                        # for ganglia

>I found after pfilter start all packages are filtered out, except SSH.
> >From outside, other machines can not ping me, can not telnet, that's just
>what I want.
>However from inside, I also can not go outside, for example, I can not
>telnet to a outside telnet server. More important, I can not get NIS
>server's response, can not get NFS server's response. It closed all my
>network connection except SSH. That's not what I want.
>
>Has anybody met the same problem?
>Would you like to tell me how to properly configure the pfilter.
>
>
>Thanks a lot!
>
>
>
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Influence the future
>of Java(TM) technology. Join the Java Community
>Process(SM) (JCP(SM)) program now.
>http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
>_______________________________________________
>Oscar-users mailing list
>Osc...@li...
>https://lists.sourceforge.net/lists/listinfo/oscar-users