[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] [QUBE] Firewall Rules

Subject: [cobalt-users] [QUBE] Firewall Rules
From: <rpaiz@xxxxxxxxxxxxxx>
Date: Fri Sep 22 16:47:37 2000

Lord, I hate the archives. Mostly since, after two hours of wading through
them, I still don't have a thing to show for it. So...

I have configured the firewall rules precisely as shown by the Cobalt tool
on the website. Checked them backwards and forwards, too... But of course
they don't work, since my users can't use web, DNS, or ping. (I *think* mail
goes through but am not sure.) And the moment I disable IP filtering all is
right with the world again.

Full commentary on my rules as configured is shown at the end of this
message. My questions are:

* According to the Cobalt tool, port 53 (DNS) only allows TCP. But a post in
the archives suggests that DNS is normally UDP and only goes to TCP under
certain circumstances. How accurate is this other information? Should I
enable UDP for port 53?

* The Cobalt tool suggests that I reference the Qube as 111.111.111.130/27
(IP's changed to protect the innocent), using the 130 (the actual IP) and
the subnet mask to represent the Qube specifically and all others in its
subnet (128-159). Does this work? Or should I use the network name
(111.111.111.128/27)?

* Any other suggestions?

--
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>

=============

ACTUAL CONFIGURATION

Please note that I am using a Class-C internal subnet (10.10.10.x/24) and
that I have a block of real IP's with a 224 netmask (111.111.111.128/27).
Most rules look like this for ports 21, 23, 25, 53, 80, 81, 110, 113, 119,
139, 143, and 161-162, allowing only TCP:

 1 Allow Any Any 111.111.111.128/27 21 TCP
 2 Allow 10.10.10.0/24 Any Any 21 TCP

Only port 123 and ports 1025-65535 have rules like this, enabling both TCP
and UDP:

19 Allow  Any  Any  111.111.111.128/27  123  TCP
20 Allow  Any  Any  111.111.111.128/27  123  UDP
21 Allow  10.10.10.0/24  Any  Any  123  TCP
22 Allow  10.10.10.0/24  Any  Any  123  UDP

Finally, ICMP is given free reign with:

29 Allow  Any  Any  111.111.111.128/27  Any  ICMP
30 Allow  10.10.10.0/24  Any  Any  Any  ICMP

...and of course the grand finale:

35 Deny  Any  Any  Any  Any  All

Follow-Ups:
- Re: [cobalt-users] [QUBE] Firewall Rules
  - From: Tim M. Muldoon

Prev by Date: RE: [cobalt-users] Help! : Raq2 Broken Control Panel
Next by Date: [cobalt-users] Would someone unsubscribe cedryc?
Previous by thread: [cobalt-users] Has anyone installed midgard?
Next by thread: Re: [cobalt-users] [QUBE] Firewall Rules

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index