[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Firewall Issues on Qube2

Subject: [cobalt-users] Firewall Issues on Qube2
From: Peter Low <peterlow@xxxxxxxxxxxxxxxxxx>
Date: Thu Jan 18 06:56:01 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

I was playing around with my Qube2 yesterday, and, though I was still notable to fix the firewall, I found that I was able to turn on IP accountingusing ipfwadm (so I guess the issue is not that ipfwadm is not working).

[The next part of this post was posted to the Qube users list, so myapologies to those who have already read it]

I've been playing around with enabling the firewall on my Qube2, and havefound that the rules that are entered in the GUI do get put into a scriptat /etc/rc.d/init.d/ipfilters. However, the firewall does not work properly(the rules in the GUI are "good", but, if I enable them, then everythingbreaks) -- I'm new to ipfwadm so I'm having trouble understanding why.


Some observations from my ipfilters file:

-- the "filters only" rules appear to be the same as the "masquerade andfilters" rules-- there are only rules for input and forwarding, no rules for output (Iam using DHCP and NAT)

  -- no rules include a flag for logging

-- default policy on input, output and forward is set to accept (thefinal rule is a "deny everything else" rule)-- IP spoofing, incoming from private network, loopback packets,broadcast packets, coba (?) packets are not dealt with (Mike Vanecekaddresses all of these in a script he offered up -- available in the archives)-- I believe MODE is an external variable set by the Qube2 depending onwhether DHCP/NAT are on (MASQ or not) and whether the firewall is enabled(f/w off = +0 , f/w on = +1 , DHCP/NAT off = +0, DHCP/NAT on = +2); rulesare selected using a case statement based on MODE

I also found that working with the GUI tool for rules input and change isreally annoying/difficult (I recently had to change the IP address for myQube2 -- as a result I needed to go in and change all of the incoming rulesby hand -- what a pain).


Conclusions:

-- I think that the MODE=1 rule set should not have any forwarding rules(mine does)-- I think that the MODE=3 rule set should have output rules (mine doesnot)-- rules should probably be added to address IP spoofing, incoming fromprivate network, loopback packets, broadcast packets, coba (?) packets(does anyone know what a coba packet is?)

  -- default policy for input, forward and output should be set to deny (?)

Anyone have any suggestions as to how to get the firewall feature forQube2s fixed? (If you're not using DHCP/NAT, I think the firewall will workif you strip the forwarding rules out of the MODE=1 rule set).

<Gripe - not a call for legal action>The firewall was one of the featuresthat attracted me to the Qube. It seems Cobalt is/was guilty of falseadvertising as the firewall does not work as advertised.</Gripe - not acall for legal action>


Peter

Prev by Date: [cobalt-users] [RAQ3] Java and JSP
Next by Date: RE: [cobalt-users] New Cobalt Forum
Previous by thread: [cobalt-users] [RAQ3] Java and JSP
Next by thread: [cobalt-users] Apache not responding

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index