[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [Qube2] ICMP IP Filtering

Subject: [cobalt-users] [Qube2] ICMP IP Filtering
From: Mike Vanecek <nospam99@xxxxxxxxxxxx>
Date: Thu Apr 27 16:07:05 2000
Organization: anonymous

The below series of emails between myself and Cobalt customer support ends up
suggesting that I contact Cobalt Professional Support Services for
assistance.

I have used the Qube2 GUI to setup my IP rules (a copy of which is posted at
the end). Before I contact Professional Support Services for a quote, I
thought I would ask the group again whether they have any ideas as to how to
do what I want to do (ping from the intranet to the internet, but not allow
the internet to ping the Qube2 - I am able to do one or the other, but not
both at the same time)?  If not, does anyone have experience contracting with
Cobalt's Professional Support Services group and are they happy with the
results?


>From Mike
>To: <support-nam@xxxxxxxxxxxxx>
>Subject:  IP Filters ICMP (PR#18285)
>Date: ~24 Apr 2000

> > What ip filter configuration will allow all local workstations on 192.168.1.1/24
> > to be able to send pings (ICMP packets) out to the internet via the Qube2 and
> > receive the response back, but will deny all incoming pings (all ICMP packets)
> > on the external ip address? I want to be able to ping out yet prevent anyone on
> > the internet from being able to ping my Qube2.

>From: <support-nam@xxxxxxxxxxxxx>
>To: mike
>Subject: Re: IP Filters ICMP (PR#18285)
>Date: Wed, 26 Apr 2000 11:24:05 -0700
>
>Hello Mike,
>
>Thanks for your email, I have some information for you

>If you modify your firewall settings and remove the rules reguarding ICMP, then
>enable Network Address Translatation (NAT) in the Administrator site click on
>the Network button and then look for the check box labelled NAT.  Check that and
>your problem should be solved.

>From Mike
>To: <support-nam@xxxxxxxxxxxxx>
>Subject: RE: IP Filters ICMP (PR#18285)
>Date: 26 Apr 2000

> > Thank you for your response. I am already doing IP forwarding and
> > NAT. If I remove the ICMP filter from my filter list, then I can ping from
> > workstations on the LAN to the internet. However, removing the filter also
> > opens the Qube2 server to pings from anyone on the internet. What I want is
> > to be able to ping from the LAN while still keeping the Qube2 server hidden
> > from pings from the internet.


>From <support-nam@xxxxxxxxxxxxx>
>To: mike
>Subject: Re: IP Filters ICMP (PR#18285)
>Date: Wed, 26 Apr 2000 18:14:32 -0700
>
>Hello again Mike,
>
>Unfortunately, Blocking ICMP Packets from the Internet to the Qube is a custom networking issue
>and will require the assistance of Professional Support Services.  This can be
>done via the Cobalt website at http://www.cobalt.com.



[root@www /root]# ipfwadm -O -l
IP firewall output rules, default policy: accept

[root@www /root]# ipfwadm -I -l
IP firewall input rules, default policy: accept

type  prot source               destination          ports
acc   all  192.168.1.0/24       anywhere             n/a
deny  tcp  anywhere             anywhere             any -> tcpmux:24
deny  udp  anywhere             anywhere             any -> 1:24
deny  tcp  anywhere             anywhere             any -> 26:52
deny  udp  anywhere             anywhere             any -> 26:52
deny  tcp  anywhere             anywhere             any -> 54:finger
deny  udp  anywhere             anywhere             any -> 54:79
deny  tcp  anywhere             anywhere             any -> 82:pop-2
deny  udp  anywhere             anywhere             any -> 82:109
deny  tcp  anywhere             anywhere             any -> sunrpc:122
deny  udp  anywhere             anywhere             any -> sunrpc:122
deny  tcp  anywhere             anywhere             any -> 124:142
deny  udp  anywhere             anywhere             any -> 124:142
deny  tcp  anywhere             anywhere             any -> NeWS:1023
deny  udp  anywhere             anywhere             any -> 144:1023
deny  icmp anywhere             anywhere             any

[root@www /root]# ipfwadm -F -l
IP firewall forward rules, default policy: accept

type  prot source               destination          ports
acc/m all  192.168.1.0/24       anywhere             n/a
deny  tcp  anywhere             anywhere             any -> tcpmux:24
deny  udp  anywhere             anywhere             any -> 1:24
deny  tcp  anywhere             anywhere             any -> 26:52
deny  udp  anywhere             anywhere             any -> 26:52
deny  tcp  anywhere             anywhere             any -> 54:finger
deny  udp  anywhere             anywhere             any -> 54:79
deny  tcp  anywhere             anywhere             any -> 82:pop-2
deny  udp  anywhere             anywhere             any -> 82:109
deny  tcp  anywhere             anywhere             any -> sunrpc:122
deny  udp  anywhere             anywhere             any -> sunrpc:122
deny  tcp  anywhere             anywhere             any -> 124:142
deny  udp  anywhere             anywhere             any -> 124:142
deny  tcp  anywhere             anywhere             any -> NeWS:1023
deny  udp  anywhere             anywhere             any -> 144:1023
deny  icmp anywhere             anywhere             any
acc/m all  192.168.1.0/24       anywhere             n/a

Follow-Ups:
- Re: [cobalt-users] [Qube2] ICMP IP Filtering
  - From: Gordon

Prev by Date: RE: [cobalt-users] SMTP doesn't work: 554 rewrite error
Next by Date: [cobalt-users] Web hosting billing software
Previous by thread: [cobalt-users] [Qube2] Firewall Logging
Next by thread: Re: [cobalt-users] [Qube2] ICMP IP Filtering

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index