Firewall - Debian

This is a discussion on Firewall - Debian ; Hello, new to this place, so Hi everyone. I run a few servers on my network and am having problems with my firewall. I am finishing up my imap server but I can't connect to it, the error my firewall ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Firewall

  1. Firewall

    Hello,
    new to this place, so Hi everyone.

    I run a few servers on my network and am having problems with my firewall.
    I am finishing up my imap server but I can't connect to it, the error my
    firewall spits out is that it is a
    spoofed mac address (on the server side), I can connect to the local
    address' but will not anywhere where it has to go through my fw
    I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
    4 virtual IPs on this server, for intra(extra)nets.
    My firewall is Astaro Security Linux 6.
    My question is what is a good firewall these days, because I have about
    had it with this one.

    Thanx
    Chris


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: Firewall

    On Fri, 2006-07-21 at 00:55 -0600, Chris Davies wrote:
    > Hello,
    > new to this place, so Hi everyone.
    >
    > I run a few servers on my network and am having problems with my firewall.
    > I am finishing up my imap server but I can't connect to it, the error my
    > firewall spits out is that it is a
    > spoofed mac address (on the server side), I can connect to the local
    > address' but will not anywhere where it has to go through my fw
    > I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
    > 4 virtual IPs on this server, for intra(extra)nets.
    > My firewall is Astaro Security Linux 6.
    > My question is what is a good firewall these days, because I have about
    > had it with this one.


    Maybe have a look at firehol? Ive been using it for a year or so and it
    works pretty well.

    cheers
    Shane


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Firewall


    The output of the command "iptables-save" would be useful to us. As
    would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.

    The actual error messages would be useful as well.

    If you don't want to fix it, which would be contrary to the fact that
    you told us all about it, there are a number of other Linux or
    FreeBSD/OpenBSD firewall projects -- google can help you find the way.
    If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
    checkpoint are quite common. I don't care for Watchguard, SonicWall, or
    other firewall vendors much.



    Chris Davies wrote:
    > Hello,
    > new to this place, so Hi everyone.
    >
    > I run a few servers on my network and am having problems with my firewall.
    > I am finishing up my imap server but I can't connect to it, the error my
    > firewall spits out is that it is a
    > spoofed mac address (on the server side), I can connect to the local
    > address' but will not anywhere where it has to go through my fw
    > I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
    > 4 virtual IPs on this server, for intra(extra)nets.
    > My firewall is Astaro Security Linux 6.
    > My question is what is a good firewall these days, because I have about
    > had it with this one.
    >
    > Thanx
    > Chris
    >
    >


    --
    # Jesse Molina
    # Mail = jesse@opendreams.net
    # Page = page-jesse@opendreams.net
    # Cell = 1.602.323.7608
    # Web = http://www.opendreams.net/jesse/



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Firewall

    Jesse Molina wrote:
    >
    > The output of the command "iptables-save" would be useful to us. As
    > would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
    >
    > The actual error messages would be useful as well.
    >
    > If you don't want to fix it, which would be contrary to the fact that
    > you told us all about it, there are a number of other Linux or
    > FreeBSD/OpenBSD firewall projects -- google can help you find the way.
    > If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
    > checkpoint are quite common. I don't care for Watchguard, SonicWall,
    > or other firewall vendors much.
    >
    >
    >
    > Chris Davies wrote:
    >> Hello,
    >> new to this place, so Hi everyone.
    >>
    >> I run a few servers on my network and am having problems with my
    >> firewall.
    >> I am finishing up my imap server but I can't connect to it, the error my
    >> firewall spits out is that it is a
    >> spoofed mac address (on the server side), I can connect to the local
    >> address' but will not anywhere where it has to go through my fw
    >> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
    >> 4 virtual IPs on this server, for intra(extra)nets.
    >> My firewall is Astaro Security Linux 6.
    >> My question is what is a good firewall these days, because I have about
    >> had it with this one.
    >>
    >> Thanx
    >> Chris
    >>
    >>

    >

    Message from log --->
    2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
    MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
    DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
    PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0

    # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    *nat
    :AUTO_OUTPUT - [0:0]
    :AUTO_POST - [0:0]
    :AUTO_PRE - [0:0]
    :PREROUTING ACCEPT [684764:90790281]
    :POSTROUTING ACCEPT [810702:54559262]
    :OUTPUT ACCEPT [38180:5648519]
    :USR_OUTPUT - [0:0]
    :USR_POST - [0:0]
    :USR_PRE - [0:0]
    -A PREROUTING -j AUTO_PRE
    -A PREROUTING -j USR_PRE
    -A POSTROUTING -j AUTO_POST
    -A POSTROUTING -j USR_POST
    -A OUTPUT -j AUTO_OUTPUT
    -A OUTPUT -j USR_OUTPUT
    -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
    80 -j DNAT --to-destination 192.168.1.110
    -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
    -j DNAT --to-destination 192.168.1.100
    -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
    6881 -j DNAT --to-destination 192.168.2.105
    -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    6881 -j DNAT --to-destination 192.168.2.105
    -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    4444 -j DNAT --to-destination 192.168.2.105
    -A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
    -A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
    -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
    -j DNAT --to-destination 192.168.1.110
    -A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    -A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
    DNAT --to-destination 192.168.1.100
    -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
    -j DNAT --to-destination 192.168.2.105
    -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
    -j DNAT --to-destination 192.168.2.105
    -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
    -j DNAT --to-destination 192.168.2.105
    COMMIT
    # Completed on Fri Jul 21 01:30:07 2006
    # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    *ips
    :PREROUTING ACCEPT [85268420:58804227617]
    :INPUT ACCEPT [71920:73703193]
    :FORWARD ACCEPT [18409:10865526]
    :OUTPUT ACCEPT [51149:7744091]
    :POSTROUTING ACCEPT [85257053:58524784864]
    COMMIT
    # Completed on Fri Jul 21 01:30:07 2006
    # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    *mangle
    :INVALID_PKT - [0:0]
    :POLICY_ROUTING_OUT - [0:0]
    :POLICY_ROUTING_PRE - [0:0]
    :PREROUTING ACCEPT [85268432:58804228448]
    :INPUT ACCEPT [6933573:1948839077]
    :FORWARD ACCEPT [78333312:56855205229]
    :OUTPUT ACCEPT [7027235:1676138656]
    :POSTROUTING ACCEPT [67282614:56180797304]
    :SET_PRIO_HIGH - [0:0]
    :SET_PRIO_LOW - [0:0]
    -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A INVALID_PKT -j DROP
    -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    -A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
    REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
    -A PREROUTING -j POLICY_ROUTING_PRE
    -A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
    -A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
    -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    -A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
    --ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
    -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
    -m udp --sport 53:65535 --dport 53 -m u32 --u32
    0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
    --ulog-cprange 40 --ulog-qthreshold 50
    -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
    -m tcp --sport 53:65535 --dport 53 -m u32 --u32
    0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
    "DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
    -A OUTPUT -j POLICY_ROUTING_OUT
    -A POSTROUTING -o lo -j ACCEPT
    -A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
    50:100 -j SET_PRIO_HIGH
    -A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
    -A POSTROUTING -p icmp -j SET_PRIO_HIGH
    -A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
    -A SET_PRIO_HIGH -j ACCEPT
    -A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
    -A SET_PRIO_LOW -j ACCEPT
    COMMIT
    # Completed on Fri Jul 21 01:30:07 2006
    # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    *raw
    :ICMP_FLOOD - [0:0]
    :ICMP_FLOOD_DROP - [0:0]
    :ICMP_FLOOD_DST - [0:0]
    :ICMP_FLOOD_SRC - [0:0]
    :LOCAL_TRAFFIC - [0:0]
    :PREROUTING ACCEPT [144:6172]
    :OUTPUT ACCEPT [913592:160544115]
    :SYN_FLOOD - [0:0]
    :SYN_FLOOD_DROP - [0:0]
    :SYN_FLOOD_DST - [0:0]
    :SYN_FLOOD_SRC - [0:0]
    :UDP_FLOOD - [0:0]
    :UDP_FLOOD_DROP - [0:0]
    :UDP_FLOOD_DST - [0:0]
    :UDP_FLOOD_SRC - [0:0]
    -A ICMP_FLOOD -j ICMP_FLOOD_SRC
    -A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    "ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    -A ICMP_FLOOD_DROP -j DROP
    -A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
    -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
    -A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
    -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
    -A LOCAL_TRAFFIC -j NOTRACK
    -A LOCAL_TRAFFIC -j ACCEPT
    -A LOCAL_TRAFFIC -j NOTRACK
    -A LOCAL_TRAFFIC -j ACCEPT
    -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    -A PREROUTING -p tcp -j SYN_FLOOD
    -A PREROUTING -p udp -j UDP_FLOOD
    -A PREROUTING -p icmp -j ICMP_FLOOD
    -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    -A SYN_FLOOD -j SYN_FLOOD_SRC
    -A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    "SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    -A SYN_FLOOD_DROP -j DROP
    -A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
    --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
    -A SYN_FLOOD_DST -j SYN_FLOOD_DROP
    -A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
    --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
    -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
    -A UDP_FLOOD -j UDP_FLOOD_SRC
    -A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    "UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    -A UDP_FLOOD_DROP -j DROP
    -A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
    --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
    -A UDP_FLOOD_DST -j UDP_FLOOD_DROP
    -A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
    --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
    -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
    COMMIT
    # Completed on Fri Jul 21 01:30:07 2006
    # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    *filter
    :AUTO_FORWARD - [0:0]
    :AUTO_INPUT - [0:0]
    :AUTO_OUTPUT - [0:0]
    :HA - [0:0]
    :INPUT DROP [3:534]
    :FORWARD DROP [0:0]
    :INVALID_PKT - [0:0]
    :LOGACCEPT - [0:0]
    :LOGDROP - [0:0]
    :LOGREJECT - [0:0]
    :OUTPUT DROP [4:224]
    :PSD_ACTION - [0:0]
    :PSD_MATCH - [0:0]
    :SANITY_CHECKS - [0:0]
    :SPOOFING_PROTECTION - [0:0]
    :SPOOF_DROP - [0:0]
    :STRICT_TCP_STATE - [0:0]
    :USR_FORWARD - [0:0]
    :USR_INPUT - [0:0]
    :USR_OUTPUT - [0:0]
    -A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
    -A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
    -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
    --dport 22 -j CONFIRMED
    -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
    -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 443 -j CONFIRMED
    -A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
    -A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
    -A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
    -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
    -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
    -A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
    53 -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
    53 -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
    -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
    -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
    -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
    -m owner --cmd-owner named -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
    --cmd-owner exim -j CONFIRMED
    -A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
    514 -m owner --cmd-owner syslog-ng -j CONFIRMED
    -A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
    owner --cmd-owner netselect -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    --cmd-owner aus -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    --cmd-owner aus -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    --cmd-owner pattern_aus -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    --cmd-owner pattern_aus -j CONFIRMED
    -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
    --cmd-owner wget -j CONFIRMED
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    -A INPUT -m state --state RELATED -j CONFIRMED
    -A INPUT -j SPOOFING_PROTECTION
    -A INPUT -j HA
    -A INPUT -j PSD_MATCH
    -A INPUT -j SANITY_CHECKS
    -A INPUT -j AUTO_INPUT
    -A INPUT -j USR_INPUT
    -A INPUT -j LOGDROP
    -A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    -A FORWARD -m state --state RELATED -j CONFIRMED
    -A FORWARD -j SPOOFING_PROTECTION
    -A FORWARD -j PSD_MATCH
    -A FORWARD -j SANITY_CHECKS
    -A FORWARD -j AUTO_FORWARD
    -A FORWARD -j USR_FORWARD
    -A FORWARD -j LOGDROP
    -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A INVALID_PKT -j DROP
    -A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A LOGACCEPT -j CONFIRMED
    -A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A LOGDROP -j DROP
    -A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    -A OUTPUT -m state --state RELATED -j CONFIRMED
    -A OUTPUT -j HA
    -A OUTPUT -j SANITY_CHECKS
    -A OUTPUT -j AUTO_OUTPUT
    -A OUTPUT -j USR_OUTPUT
    -A OUTPUT -j LOGDROP
    -A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
    --ulog-qthreshold 50
    -A PSD_ACTION -j DROP
    -A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
    --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
    -A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
    SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
    -A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
    -A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
    --state INVALID -j REJECT --reject-with tcp-reset
    -A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
    -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
    SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
    SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
    40 --ulog-qthreshold 50
    -A SPOOF_DROP -j DROP
    -A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
    -A STRICT_TCP_STATE -p tcp -j INVALID_PKT
    -A STRICT_TCP_STATE -p tcp -j DROP
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 80 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 20:21 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 21 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 443 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 110 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 25 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 23 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
    tcp --sport 1024:65535 --dport 143 -j CONFIRMED
    -A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
    -A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 110 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 110 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 2703 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    1:65535 --dport 2703 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1:65535 --dport 2703 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    1:65535 --dport 2703 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    143 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    143 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 80 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 20:21 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
    80 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 443 -j CONFIRMED
    -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    1024:65535 --dport 443 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --dport 22 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
    4444 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    4242 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    4242 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    4441 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    4441 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    4242 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    4242 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    4441 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    4441 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    1:65535 -j CONFIRMED
    -A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
    -A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
    -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    -p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
    -A USR_INPUT -d 192.168.2.255 -j DROP
    -A USR_INPUT -d 192.168.1.255 -j DROP
    -A USR_INPUT -d 255.255.255.255 -j DROP
    COMMIT
    # Completed on Fri Jul 21 01:30:07 2006


    ip addr --->
    1: lo: mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
    3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
    inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
    ********* end

    ifconfig -a ----->
    eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
    inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
    TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
    Interrupt:169 Base address:0xdc00

    eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
    TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)

    eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
    inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
    TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
    collisions:294358 txqueuelen:1000
    RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)

    *************end

    The purpose of listing my current config was to give anyone else an idea
    of what i am now using (like to suggest just a iptables based solution
    vs a larger cisco pix box, of witch would be over kill for my use) I
    would like to switch to a different one but I would like some opinions
    of what you have used and are happy with Vs getting a beta and having
    security breaches, or if you could help me fix this one I would be very
    appreciative.

    Chris



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Firewall

    On 07/21/2006 8:49:50 AM +0100
    Chris Davies said:

    > The purpose of listing my current config was to give anyone else an idea
    > of what i am now using (like to suggest just a iptables based solution
    > vs a larger cisco pix box, of witch would be over kill for my use)


    I don't believe a Cisco box is overkill for an ISP - why do you think that?

    > I
    > would like to switch to a different one but I would like some opinions
    > of what you have used and are happy with


    If you want to create a firewall on a Linux system, I'd (strongly)
    recommend Shorewall. You might want to use the version in Testing, which
    will install cleanly on a Stable system.

    Keith


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: Firewall

    I would recommend looking at a Nokia Checkpoint solution.

    Your config is getting to the point of becoming too complicated to have
    a complete overview.

    I would also definitely stay away from Cisco PIX - Access lists on these
    boxes are just as complicated as IP tables.

    Andrew

    Chris Davies wrote:
    > Jesse Molina wrote:
    >


    >
    > The purpose of listing my current config was to give anyone else an idea
    > of what i am now using (like to suggest just a iptables based solution
    > vs a larger cisco pix box, of witch would be over kill for my use) I
    > would like to switch to a different one but I would like some opinions
    > of what you have used and are happy with Vs getting a beta and having
    > security breaches, or if you could help me fix this one I would be very
    > appreciative.
    >
    >



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  7. Re: Firewall


    This is very very useful information here.

    The error message tells us detailed info that we need to know about what
    packet was dropped, that you did not want it dropped, and we have the
    iptables configuration.

    Here is the important part of the error message details;

    IP-SPOOFING DROP: IN=eth0
    SRC=192.168.2.105
    DST=69.20.153.137
    PROTO=TCP SPT=59941 DPT=143

    Okay, now here is the configuration that generated this iptables packet
    drop, and chain it came from;

    -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
    40 --ulog-qthreshold 50
    -A SPOOF_DROP -j DROP

    -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
    SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
    SPOOF_DROP
    -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP



    Finally, here is the offending line that our packet matches, which is
    causing it to be dropped;

    "-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP"

    Yep, that packet is coming in on eth0, going to 69.20.153.137. That's
    perfectly sane, but the iptables rules are not. I think they assume
    that the 192.168.2.0/24 network will access the firewall host only on
    the same network interface, which is NOT a good assumption. Your IMAP
    server has it's DNS entry to use it's public facing port.

    You need to remove the offending rule and your problems may go away.
    That said, make sure to go through your firewall UI to do it -- don't
    mess with iptables directly unless the firewall vendor/project says you
    may do so, or you want to just use iptables in the future.

    Also, you may have other issues due to the NAT/MASQ you have going on
    there. I don't know if the firewall trying to talk to itself through a
    NAT/MASQ session is going to work.

    Another option that might resolve your problems is to have a split DNS
    between the Internet and your inside networks (I don't like this
    particular solution myself, but it's what many might do).

    My condolences on your complicated problem. You are going to need to
    meditate on this one to get it figured out. Good luck though. It can
    be done.



    Chris Davies wrote:
    > Jesse Molina wrote:
    >> The output of the command "iptables-save" would be useful to us. As
    >> would an "ip addr" or "ifconfig -a", on BOTH the server and the firewall.
    >>
    >> The actual error messages would be useful as well.
    >>
    >> If you don't want to fix it, which would be contrary to the fact that
    >> you told us all about it, there are a number of other Linux or
    >> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
    >> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
    >> checkpoint are quite common. I don't care for Watchguard, SonicWall,
    >> or other firewall vendors much.
    >>
    >>
    >>
    >> Chris Davies wrote:
    >>> Hello,
    >>> new to this place, so Hi everyone.
    >>>
    >>> I run a few servers on my network and am having problems with my
    >>> firewall.
    >>> I am finishing up my imap server but I can't connect to it, the error my
    >>> firewall spits out is that it is a
    >>> spoofed mac address (on the server side), I can connect to the local
    >>> address' but will not anywhere where it has to go through my fw
    >>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I have
    >>> 4 virtual IPs on this server, for intra(extra)nets.
    >>> My firewall is Astaro Security Linux 6.
    >>> My question is what is a good firewall these days, because I have about
    >>> had it with this one.
    >>>
    >>> Thanx
    >>> Chris
    >>>
    >>>

    > Message from log --->
    > 2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
    > MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
    > DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
    > PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
    >
    > # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    > *nat
    > :AUTO_OUTPUT - [0:0]
    > :AUTO_POST - [0:0]
    > :AUTO_PRE - [0:0]
    > :PREROUTING ACCEPT [684764:90790281]
    > :POSTROUTING ACCEPT [810702:54559262]
    > :OUTPUT ACCEPT [38180:5648519]
    > :USR_OUTPUT - [0:0]
    > :USR_POST - [0:0]
    > :USR_PRE - [0:0]
    > -A PREROUTING -j AUTO_PRE
    > -A PREROUTING -j USR_PRE
    > -A POSTROUTING -j AUTO_POST
    > -A POSTROUTING -j USR_POST
    > -A OUTPUT -j AUTO_OUTPUT
    > -A OUTPUT -j USR_OUTPUT
    > -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
    > 80 -j DNAT --to-destination 192.168.1.110
    > -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    > 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    > -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    > 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    > -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
    > -j DNAT --to-destination 192.168.1.100
    > -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
    > 6881 -j DNAT --to-destination 192.168.2.105
    > -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    > 6881 -j DNAT --to-destination 192.168.2.105
    > -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    > 4444 -j DNAT --to-destination 192.168.2.105
    > -A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
    > -A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
    > -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
    > -j DNAT --to-destination 192.168.1.110
    > -A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    > 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    > -A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    > 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    > -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
    > DNAT --to-destination 192.168.1.100
    > -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
    > -j DNAT --to-destination 192.168.2.105
    > -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
    > -j DNAT --to-destination 192.168.2.105
    > -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
    > -j DNAT --to-destination 192.168.2.105
    > COMMIT
    > # Completed on Fri Jul 21 01:30:07 2006
    > # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    > *ips
    > :PREROUTING ACCEPT [85268420:58804227617]
    > :INPUT ACCEPT [71920:73703193]
    > :FORWARD ACCEPT [18409:10865526]
    > :OUTPUT ACCEPT [51149:7744091]
    > :POSTROUTING ACCEPT [85257053:58524784864]
    > COMMIT
    > # Completed on Fri Jul 21 01:30:07 2006
    > # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    > *mangle
    > :INVALID_PKT - [0:0]
    > :POLICY_ROUTING_OUT - [0:0]
    > :POLICY_ROUTING_PRE - [0:0]
    > :PREROUTING ACCEPT [85268432:58804228448]
    > :INPUT ACCEPT [6933573:1948839077]
    > :FORWARD ACCEPT [78333312:56855205229]
    > :OUTPUT ACCEPT [7027235:1676138656]
    > :POSTROUTING ACCEPT [67282614:56180797304]
    > :SET_PRIO_HIGH - [0:0]
    > :SET_PRIO_LOW - [0:0]
    > -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A INVALID_PKT -j DROP
    > -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    > -A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
    > REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A PREROUTING -j POLICY_ROUTING_PRE
    > -A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
    > -A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
    > -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    > -A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
    > --ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
    > -m udp --sport 53:65535 --dport 53 -m u32 --u32
    > 0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
    > --ulog-cprange 40 --ulog-qthreshold 50
    > -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
    > -m tcp --sport 53:65535 --dport 53 -m u32 --u32
    > 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
    > "DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A OUTPUT -j POLICY_ROUTING_OUT
    > -A POSTROUTING -o lo -j ACCEPT
    > -A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
    > 50:100 -j SET_PRIO_HIGH
    > -A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
    > -A POSTROUTING -p icmp -j SET_PRIO_HIGH
    > -A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
    > -A SET_PRIO_HIGH -j ACCEPT
    > -A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
    > -A SET_PRIO_LOW -j ACCEPT
    > COMMIT
    > # Completed on Fri Jul 21 01:30:07 2006
    > # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    > *raw
    > :ICMP_FLOOD - [0:0]
    > :ICMP_FLOOD_DROP - [0:0]
    > :ICMP_FLOOD_DST - [0:0]
    > :ICMP_FLOOD_SRC - [0:0]
    > :LOCAL_TRAFFIC - [0:0]
    > :PREROUTING ACCEPT [144:6172]
    > :OUTPUT ACCEPT [913592:160544115]
    > :SYN_FLOOD - [0:0]
    > :SYN_FLOOD_DROP - [0:0]
    > :SYN_FLOOD_DST - [0:0]
    > :SYN_FLOOD_SRC - [0:0]
    > :UDP_FLOOD - [0:0]
    > :UDP_FLOOD_DROP - [0:0]
    > :UDP_FLOOD_DST - [0:0]
    > :UDP_FLOOD_SRC - [0:0]
    > -A ICMP_FLOOD -j ICMP_FLOOD_SRC
    > -A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    > "ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A ICMP_FLOOD_DROP -j DROP
    > -A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    > --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
    > -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
    > -A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    > --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
    > -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
    > -A LOCAL_TRAFFIC -j NOTRACK
    > -A LOCAL_TRAFFIC -j ACCEPT
    > -A LOCAL_TRAFFIC -j NOTRACK
    > -A LOCAL_TRAFFIC -j ACCEPT
    > -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    > -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    > -A PREROUTING -p tcp -j SYN_FLOOD
    > -A PREROUTING -p udp -j UDP_FLOOD
    > -A PREROUTING -p icmp -j ICMP_FLOOD
    > -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    > -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    > -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    > -A SYN_FLOOD -j SYN_FLOOD_SRC
    > -A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    > "SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A SYN_FLOOD_DROP -j DROP
    > -A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
    > --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
    > -A SYN_FLOOD_DST -j SYN_FLOOD_DROP
    > -A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
    > --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
    > -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
    > -A UDP_FLOOD -j UDP_FLOOD_SRC
    > -A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    > "UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    > -A UDP_FLOOD_DROP -j DROP
    > -A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
    > --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
    > -A UDP_FLOOD_DST -j UDP_FLOOD_DROP
    > -A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
    > --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
    > -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
    > COMMIT
    > # Completed on Fri Jul 21 01:30:07 2006
    > # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    > *filter
    > :AUTO_FORWARD - [0:0]
    > :AUTO_INPUT - [0:0]
    > :AUTO_OUTPUT - [0:0]
    > :HA - [0:0]
    > :INPUT DROP [3:534]
    > :FORWARD DROP [0:0]
    > :INVALID_PKT - [0:0]
    > :LOGACCEPT - [0:0]
    > :LOGDROP - [0:0]
    > :LOGREJECT - [0:0]
    > :OUTPUT DROP [4:224]
    > :PSD_ACTION - [0:0]
    > :PSD_MATCH - [0:0]
    > :SANITY_CHECKS - [0:0]
    > :SPOOFING_PROTECTION - [0:0]
    > :SPOOF_DROP - [0:0]
    > :STRICT_TCP_STATE - [0:0]
    > :USR_FORWARD - [0:0]
    > :USR_INPUT - [0:0]
    > :USR_OUTPUT - [0:0]
    > -A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
    > -A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
    > -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
    > --dport 22 -j CONFIRMED
    > -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
    > -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 443 -j CONFIRMED
    > -A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
    > -A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
    > -A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
    > -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
    > -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
    > -A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
    > 53 -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
    > 53 -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
    > -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
    > -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
    > -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
    > -m owner --cmd-owner named -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
    > --cmd-owner exim -j CONFIRMED
    > -A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
    > 514 -m owner --cmd-owner syslog-ng -j CONFIRMED
    > -A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
    > owner --cmd-owner netselect -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    > --cmd-owner aus -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    > --cmd-owner aus -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    > --cmd-owner pattern_aus -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    > --cmd-owner pattern_aus -j CONFIRMED
    > -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
    > --cmd-owner wget -j CONFIRMED
    > -A INPUT -i lo -j ACCEPT
    > -A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    > -A INPUT -m state --state RELATED -j CONFIRMED
    > -A INPUT -j SPOOFING_PROTECTION
    > -A INPUT -j HA
    > -A INPUT -j PSD_MATCH
    > -A INPUT -j SANITY_CHECKS
    > -A INPUT -j AUTO_INPUT
    > -A INPUT -j USR_INPUT
    > -A INPUT -j LOGDROP
    > -A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    > -A FORWARD -m state --state RELATED -j CONFIRMED
    > -A FORWARD -j SPOOFING_PROTECTION
    > -A FORWARD -j PSD_MATCH
    > -A FORWARD -j SANITY_CHECKS
    > -A FORWARD -j AUTO_FORWARD
    > -A FORWARD -j USR_FORWARD
    > -A FORWARD -j LOGDROP
    > -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A INVALID_PKT -j DROP
    > -A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A LOGACCEPT -j CONFIRMED
    > -A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A LOGDROP -j DROP
    > -A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
    > -A OUTPUT -o lo -j ACCEPT
    > -A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    > -A OUTPUT -m state --state RELATED -j CONFIRMED
    > -A OUTPUT -j HA
    > -A OUTPUT -j SANITY_CHECKS
    > -A OUTPUT -j AUTO_OUTPUT
    > -A OUTPUT -j USR_OUTPUT
    > -A OUTPUT -j LOGDROP
    > -A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
    > --ulog-qthreshold 50
    > -A PSD_ACTION -j DROP
    > -A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
    > --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
    > -A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
    > SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
    > -A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
    > -A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
    > --state INVALID -j REJECT --reject-with tcp-reset
    > -A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
    > -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
    > SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
    > SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    > -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
    > 40 --ulog-qthreshold 50
    > -A SPOOF_DROP -j DROP
    > -A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
    > -A STRICT_TCP_STATE -p tcp -j INVALID_PKT
    > -A STRICT_TCP_STATE -p tcp -j DROP
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 80 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 20:21 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 21 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 443 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 110 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 25 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 23 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
    > tcp --sport 1024:65535 --dport 143 -j CONFIRMED
    > -A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
    > -A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    > -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    > -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 110 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 110 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 2703 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    > 1:65535 --dport 2703 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1:65535 --dport 2703 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    > 1:65535 --dport 2703 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    > 143 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    > 143 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 80 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 20:21 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
    > 80 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 443 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    > 1024:65535 --dport 443 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --dport 22 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
    > 4444 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    > 4242 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    > 4242 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    > 4441 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    > 4441 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    > 4242 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    > 4242 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    > 4441 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    > 4441 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    > 1:65535 -j CONFIRMED
    > -A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
    > -A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
    > -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    > -p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
    > -A USR_INPUT -d 192.168.2.255 -j DROP
    > -A USR_INPUT -d 192.168.1.255 -j DROP
    > -A USR_INPUT -d 255.255.255.255 -j DROP
    > COMMIT
    > # Completed on Fri Jul 21 01:30:07 2006
    >
    >
    > ip addr --->
    > 1: lo: mtu 16436 qdisc noqueue
    > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    > inet 127.0.0.1/8 scope host lo
    > 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
    > link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
    > inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
    > 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
    > link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
    > inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    > 4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
    > link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
    > inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
    > ********* end
    >
    > ifconfig -a ----->
    > eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
    > inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
    > TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:1000
    > RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557 (2349.1 Mb)
    > Interrupt:169 Base address:0xdc00
    >
    > eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
    > inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:1000
    > RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
    >
    > eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
    > inet addr:69.20.153.137 Bcast:69.20.153.143 Mask:255.255.255.240
    > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    > RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:294358 txqueuelen:1000
    > RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120 (1884.5 Mb)
    >
    > lo Link encap:Local Loopback
    > inet addr:127.0.0.1 Mask:255.0.0.0
    > UP LOOPBACK RUNNING MTU:16436 Metric:1
    > RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
    > TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
    > collisions:0 txqueuelen:0
    > RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054 (1445.8 Mb)
    >
    > *************end
    >
    > The purpose of listing my current config was to give anyone else an idea
    > of what i am now using (like to suggest just a iptables based solution
    > vs a larger cisco pix box, of witch would be over kill for my use) I
    > would like to switch to a different one but I would like some opinions
    > of what you have used and are happy with Vs getting a beta and having
    > security breaches, or if you could help me fix this one I would be very
    > appreciative.
    >
    > Chris
    >
    >
    >


    --
    # Jesse Molina
    # Mail = jesse@opendreams.net
    # Page = page-jesse@opendreams.net
    # Cell = 1.602.323.7608
    # Web = http://www.opendreams.net/jesse/



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  8. Re: Firewall

    Thank you all for the information and help
    I found out what to do to fix it,
    I added a new NAT rule to change any src going to my pub IP with the
    service IMAP to my mail server destination and poof it works.

    Thanx

    Chris

    Jesse Molina wrote:
    >
    > This is very very useful information here.
    >
    > The error message tells us detailed info that we need to know about
    > what packet was dropped, that you did not want it dropped, and we have
    > the iptables configuration.
    >
    > Here is the important part of the error message details;
    >
    > IP-SPOOFING DROP: IN=eth0
    > SRC=192.168.2.105
    > DST=69.20.153.137
    > PROTO=TCP SPT=59941 DPT=143
    >
    > Okay, now here is the configuration that generated this iptables
    > packet drop, and chain it came from;
    >
    > -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: "
    > --ulog-cprange 40 --ulog-qthreshold 50
    > -A SPOOF_DROP -j DROP
    >
    > -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
    > SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
    > SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    > -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j SPOOF_DROP
    >
    >
    >
    > Finally, here is the offending line that our packet matches, which is
    > causing it to be dropped;
    >
    > "-A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP"
    >
    > Yep, that packet is coming in on eth0, going to 69.20.153.137. That's
    > perfectly sane, but the iptables rules are not. I think they assume
    > that the 192.168.2.0/24 network will access the firewall host only on
    > the same network interface, which is NOT a good assumption. Your IMAP
    > server has it's DNS entry to use it's public facing port.
    >
    > You need to remove the offending rule and your problems may go away.
    > That said, make sure to go through your firewall UI to do it -- don't
    > mess with iptables directly unless the firewall vendor/project says
    > you may do so, or you want to just use iptables in the future.
    >
    > Also, you may have other issues due to the NAT/MASQ you have going on
    > there. I don't know if the firewall trying to talk to itself through
    > a NAT/MASQ session is going to work.
    >
    > Another option that might resolve your problems is to have a split DNS
    > between the Internet and your inside networks (I don't like this
    > particular solution myself, but it's what many might do).
    >
    > My condolences on your complicated problem. You are going to need to
    > meditate on this one to get it figured out. Good luck though. It can
    > be done.
    >
    >
    >
    > Chris Davies wrote:
    >> Jesse Molina wrote:
    >>> The output of the command "iptables-save" would be useful to us. As
    >>> would an "ip addr" or "ifconfig -a", on BOTH the server and the
    >>> firewall.
    >>>
    >>> The actual error messages would be useful as well.
    >>>
    >>> If you don't want to fix it, which would be contrary to the fact that
    >>> you told us all about it, there are a number of other Linux or
    >>> FreeBSD/OpenBSD firewall projects -- google can help you find the way.
    >>> If you want to go commercial, Juniper/Netscreen, Cisco ASA/PIX, and
    >>> checkpoint are quite common. I don't care for Watchguard, SonicWall,
    >>> or other firewall vendors much.
    >>>
    >>>
    >>>
    >>> Chris Davies wrote:
    >>>> Hello,
    >>>> new to this place, so Hi everyone.
    >>>>
    >>>> I run a few servers on my network and am having problems with my
    >>>> firewall.
    >>>> I am finishing up my imap server but I can't connect to it, the
    >>>> error my
    >>>> firewall spits out is that it is a
    >>>> spoofed mac address (on the server side), I can connect to the
    >>>> local
    >>>> address' but will not anywhere where it has to go through my fw
    >>>> I run Debian 3.01(sarge) with Exim4, Dovecot imap w/maildir, also I
    >>>> have
    >>>> 4 virtual IPs on this server, for intra(extra)nets.
    >>>> My firewall is Astaro Security Linux 6.
    >>>> My question is what is a good firewall these days, because I have
    >>>> about
    >>>> had it with this one.
    >>>>
    >>>> Thanx
    >>>> Chris
    >>>>
    >>>>

    >> Message from log --->
    >> 2006:07:21-00:42:52 ulogd[1782]: IP-SPOOFING DROP: IN=eth0 OUT=
    >> MAC=00:01:02:66:65:9a:00:11:09:84:f3:2c:08:00 SRC=192.168.2.105
    >> DST=69.20.153.137 LEN=60 TOS=10 PREC=0x00 TTL=64 ID=42174 CE DF
    >> PROTO=TCP SPT=59941 DPT=143 SEQ=1895368652 ACK=0 WINDOW=5840 SYN URGP=0
    >>
    >> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    >> *nat
    >> :AUTO_OUTPUT - [0:0]
    >> :AUTO_POST - [0:0]
    >> :AUTO_PRE - [0:0]
    >> :PREROUTING ACCEPT [684764:90790281]
    >> :POSTROUTING ACCEPT [810702:54559262]
    >> :OUTPUT ACCEPT [38180:5648519]
    >> :USR_OUTPUT - [0:0]
    >> :USR_POST - [0:0]
    >> :USR_PRE - [0:0]
    >> -A PREROUTING -j AUTO_PRE
    >> -A PREROUTING -j USR_PRE
    >> -A POSTROUTING -j AUTO_POST
    >> -A POSTROUTING -j USR_POST
    >> -A OUTPUT -j AUTO_OUTPUT
    >> -A OUTPUT -j USR_OUTPUT
    >> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport
    >> 80 -j DNAT --to-destination 192.168.1.110
    >> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    >> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    >> -A USR_OUTPUT -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    >> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    >> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25
    >> -j DNAT --to-destination 192.168.1.100
    >> -A USR_OUTPUT -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport
    >> 6881 -j DNAT --to-destination 192.168.2.105
    >> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    >> 6881 -j DNAT --to-destination 192.168.2.105
    >> -A USR_OUTPUT -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport
    >> 4444 -j DNAT --to-destination 192.168.2.105
    >> -A USR_POST -s 192.168.1.0/255.255.255.0 -o eth2 -j MASQUERADE
    >> -A USR_POST -s 192.168.2.0/255.255.255.0 -o eth2 -j MASQUERADE
    >> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1024:65535 --dport 80
    >> -j DNAT --to-destination 192.168.1.110
    >> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p tcp -m tcp --sport
    >> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    >> -A USR_PRE -d 69.20.153.128/255.255.255.240 -p udp -m udp --sport
    >> 1:65535 --dport 4441 -j DNAT --to-destination 192.168.2.50
    >> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 25 -j
    >> DNAT --to-destination 192.168.1.100
    >> -A USR_PRE -d 69.20.153.137 -p tcp -m tcp --sport 1:65535 --dport 6881
    >> -j DNAT --to-destination 192.168.2.105
    >> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 6881
    >> -j DNAT --to-destination 192.168.2.105
    >> -A USR_PRE -d 69.20.153.137 -p udp -m udp --sport 1:65535 --dport 4444
    >> -j DNAT --to-destination 192.168.2.105
    >> COMMIT
    >> # Completed on Fri Jul 21 01:30:07 2006
    >> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    >> *ips
    >> :PREROUTING ACCEPT [85268420:58804227617]
    >> :INPUT ACCEPT [71920:73703193]
    >> :FORWARD ACCEPT [18409:10865526]
    >> :OUTPUT ACCEPT [51149:7744091]
    >> :POSTROUTING ACCEPT [85257053:58524784864]
    >> COMMIT
    >> # Completed on Fri Jul 21 01:30:07 2006
    >> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    >> *mangle
    >> :INVALID_PKT - [0:0]
    >> :POLICY_ROUTING_OUT - [0:0]
    >> :POLICY_ROUTING_PRE - [0:0]
    >> :PREROUTING ACCEPT [85268432:58804228448]
    >> :INPUT ACCEPT [6933573:1948839077]
    >> :FORWARD ACCEPT [78333312:56855205229]
    >> :OUTPUT ACCEPT [7027235:1676138656]
    >> :POSTROUTING ACCEPT [67282614:56180797304]
    >> :SET_PRIO_HIGH - [0:0]
    >> :SET_PRIO_LOW - [0:0]
    >> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A INVALID_PKT -j DROP
    >> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    >> -A PREROUTING -p icmp -m icmp --icmp-type 5 -j ULOG --ulog-prefix "ICMP
    >> REDIRECT: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A PREROUTING -j POLICY_ROUTING_PRE
    >> -A PREROUTING -p tcp -m length --length 20:39 -j INVALID_PKT
    >> -A PREROUTING -p udp -m length --length 20:27 -j INVALID_PKT
    >> -A PREROUTING -p icmp -m length --length 20:21 -j INVALID_PKT
    >> -A PREROUTING -m state --state RELATED -m helper --helper "ftp" -j ULOG
    >> --ulog-prefix "FTP_DATA: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p udp
    >> -m udp --sport 53:65535 --dport 53 -m u32 --u32
    >> 0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0 -j ULOG --ulog-prefix "DNS_REQUEST: "
    >> --ulog-cprange 40 --ulog-qthreshold 50
    >> -A PREROUTING -s ! 127.0.0.0/255.0.0.0 -d ! 127.0.0.0/255.0.0.0 -p tcp
    >> -m tcp --sport 53:65535 --dport 53 -m u32 --u32
    >> 0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x0>>0xf&0x1=0x0 -j ULOG --ulog-prefix
    >> "DNS_REQUEST: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A OUTPUT -j POLICY_ROUTING_OUT
    >> -A POSTROUTING -o lo -j ACCEPT
    >> -A POSTROUTING -p tcp -m tcp --tcp-flags ACK ACK -m length --length
    >> 50:100 -j SET_PRIO_HIGH
    >> -A POSTROUTING -m tos --tos Minimize-Delay -j SET_PRIO_HIGH
    >> -A POSTROUTING -p icmp -j SET_PRIO_HIGH
    >> -A SET_PRIO_HIGH -j CLASSIFY --set-class 0000:0008
    >> -A SET_PRIO_HIGH -j ACCEPT
    >> -A SET_PRIO_LOW -j CLASSIFY --set-class 0000:0005
    >> -A SET_PRIO_LOW -j ACCEPT
    >> COMMIT
    >> # Completed on Fri Jul 21 01:30:07 2006
    >> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    >> *raw
    >> :ICMP_FLOOD - [0:0]
    >> :ICMP_FLOOD_DROP - [0:0]
    >> :ICMP_FLOOD_DST - [0:0]
    >> :ICMP_FLOOD_SRC - [0:0]
    >> :LOCAL_TRAFFIC - [0:0]
    >> :PREROUTING ACCEPT [144:6172]
    >> :OUTPUT ACCEPT [913592:160544115]
    >> :SYN_FLOOD - [0:0]
    >> :SYN_FLOOD_DROP - [0:0]
    >> :SYN_FLOOD_DST - [0:0]
    >> :SYN_FLOOD_SRC - [0:0]
    >> :UDP_FLOOD - [0:0]
    >> :UDP_FLOOD_DROP - [0:0]
    >> :UDP_FLOOD_DST - [0:0]
    >> :UDP_FLOOD_SRC - [0:0]
    >> -A ICMP_FLOOD -j ICMP_FLOOD_SRC
    >> -A ICMP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    >> "ICMP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A ICMP_FLOOD_DROP -j DROP
    >> -A ICMP_FLOOD_DST -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    >> --hashlimit-mode dstip --hashlimit-name ICMP_FLOOD_DST -j ACCEPT
    >> -A ICMP_FLOOD_DST -j ICMP_FLOOD_DROP
    >> -A ICMP_FLOOD_SRC -m hashlimit --hashlimit 5/sec --hashlimit-burst 2
    >> --hashlimit-mode srcip --hashlimit-name ICMP_FLOOD_SRC -j ICMP_FLOOD_DST
    >> -A ICMP_FLOOD_SRC -j ICMP_FLOOD_DROP
    >> -A LOCAL_TRAFFIC -j NOTRACK
    >> -A LOCAL_TRAFFIC -j ACCEPT
    >> -A LOCAL_TRAFFIC -j NOTRACK
    >> -A LOCAL_TRAFFIC -j ACCEPT
    >> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
    >> LOCAL_TRAFFIC
    >> -A PREROUTING -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j
    >> LOCAL_TRAFFIC
    >> -A PREROUTING -p tcp -j SYN_FLOOD
    >> -A PREROUTING -p udp -j UDP_FLOOD
    >> -A PREROUTING -p icmp -j ICMP_FLOOD
    >> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    >> -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j LOCAL_TRAFFIC
    >> -A SYN_FLOOD -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    >> -A SYN_FLOOD -j SYN_FLOOD_SRC
    >> -A SYN_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    >> "SYN_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A SYN_FLOOD_DROP -j DROP
    >> -A SYN_FLOOD_DST -m hashlimit --hashlimit 200/sec --hashlimit-burst 30
    >> --hashlimit-mode dstip --hashlimit-name SYN_FLOOD_DST -j ACCEPT
    >> -A SYN_FLOOD_DST -j SYN_FLOOD_DROP
    >> -A SYN_FLOOD_SRC -m hashlimit --hashlimit 100/sec --hashlimit-burst 30
    >> --hashlimit-mode srcip --hashlimit-name SYN_FLOOD_SRC -j SYN_FLOOD_DST
    >> -A SYN_FLOOD_SRC -j SYN_FLOOD_DROP
    >> -A UDP_FLOOD -j UDP_FLOOD_SRC
    >> -A UDP_FLOOD_DROP -m limit --limit 5/sec -j ULOG --ulog-prefix
    >> "UDP_FLOOD: " --ulog-cprange 40 --ulog-qthreshold 50
    >> -A UDP_FLOOD_DROP -j DROP
    >> -A UDP_FLOOD_DST -m hashlimit --hashlimit 303/sec --hashlimit-burst 60
    >> --hashlimit-mode dstip --hashlimit-name UDP_FLOOD_DST -j ACCEPT
    >> -A UDP_FLOOD_DST -j UDP_FLOOD_DROP
    >> -A UDP_FLOOD_SRC -m hashlimit --hashlimit 200/sec --hashlimit-burst 60
    >> --hashlimit-mode srcip --hashlimit-name UDP_FLOOD_SRC -j UDP_FLOOD_DST
    >> -A UDP_FLOOD_SRC -j UDP_FLOOD_DROP
    >> COMMIT
    >> # Completed on Fri Jul 21 01:30:07 2006
    >> # Generated by iptables-save v1.3.1 on Fri Jul 21 01:30:07 2006
    >> *filter
    >> :AUTO_FORWARD - [0:0]
    >> :AUTO_INPUT - [0:0]
    >> :AUTO_OUTPUT - [0:0]
    >> :HA - [0:0]
    >> :INPUT DROP [3:534]
    >> :FORWARD DROP [0:0]
    >> :INVALID_PKT - [0:0]
    >> :LOGACCEPT - [0:0]
    >> :LOGDROP - [0:0]
    >> :LOGREJECT - [0:0]
    >> :OUTPUT DROP [4:224]
    >> :PSD_ACTION - [0:0]
    >> :PSD_MATCH - [0:0]
    >> :SANITY_CHECKS - [0:0]
    >> :SPOOFING_PROTECTION - [0:0]
    >> :SPOOF_DROP - [0:0]
    >> :STRICT_TCP_STATE - [0:0]
    >> :USR_FORWARD - [0:0]
    >> :USR_INPUT - [0:0]
    >> :USR_OUTPUT - [0:0]
    >> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 8/0 -j CONFIRMED
    >> -A AUTO_FORWARD -p icmp -m icmp --icmp-type 0/0 -j CONFIRMED
    >> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport 1:65535
    >> --dport 22 -j CONFIRMED
    >> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 22 -j LOGDROP
    >> -A AUTO_INPUT -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 443 -j CONFIRMED
    >> -A AUTO_INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -j LOGDROP
    >> -A AUTO_INPUT -p tcp -m tcp --sport 53:65535 --dport 53 -j CONFIRMED
    >> -A AUTO_INPUT -p udp -m udp --sport 53:65535 --dport 53 -j CONFIRMED
    >> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 25 -j LOGDROP
    >> -A AUTO_INPUT -p tcp -m tcp --sport 1:65535 --dport 3840 -j CONFIRMED
    >> -A AUTO_OUTPUT -d 216.180.176.3 -p tcp -m tcp --sport 53:65535 --dport
    >> 53 -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -d 216.180.176.3 -p udp -m udp --sport 53:65535 --dport
    >> 53 -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -d 69.20.128.5 -p tcp -m tcp --sport 53:65535 --dport 53
    >> -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -d 69.20.128.5 -p udp -m udp --sport 53:65535 --dport 53
    >> -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -d 69.20.129.5 -p tcp -m tcp --sport 53:65535 --dport 53
    >> -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -d 69.20.129.5 -p udp -m udp --sport 53:65535 --dport 53
    >> -m owner --cmd-owner named -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 25 -m owner
    >> --cmd-owner exim -j CONFIRMED
    >> -A AUTO_OUTPUT -d 192.168.1.100 -p udp -m udp --sport 1:65535 --dport
    >> 514 -m owner --cmd-owner syslog-ng -j CONFIRMED
    >> -A AUTO_OUTPUT -p udp -m udp --sport 1024:65535 --dport 33000:34000 -m
    >> owner --cmd-owner netselect -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    >> --cmd-owner aus -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    >> --cmd-owner aus -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 80 -m owner
    >> --cmd-owner pattern_aus -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 443 -m owner
    >> --cmd-owner pattern_aus -j CONFIRMED
    >> -A AUTO_OUTPUT -p tcp -m tcp --sport 1:65535 --dport 21 -m owner
    >> --cmd-owner wget -j CONFIRMED
    >> -A INPUT -i lo -j ACCEPT
    >> -A INPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    >> -A INPUT -m state --state RELATED -j CONFIRMED
    >> -A INPUT -j SPOOFING_PROTECTION
    >> -A INPUT -j HA
    >> -A INPUT -j PSD_MATCH
    >> -A INPUT -j SANITY_CHECKS
    >> -A INPUT -j AUTO_INPUT
    >> -A INPUT -j USR_INPUT
    >> -A INPUT -j LOGDROP
    >> -A FORWARD -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    >> -A FORWARD -m state --state RELATED -j CONFIRMED
    >> -A FORWARD -j SPOOFING_PROTECTION
    >> -A FORWARD -j PSD_MATCH
    >> -A FORWARD -j SANITY_CHECKS
    >> -A FORWARD -j AUTO_FORWARD
    >> -A FORWARD -j USR_FORWARD
    >> -A FORWARD -j LOGDROP
    >> -A INVALID_PKT -j ULOG --ulog-prefix "INVALID_PKT: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A INVALID_PKT -j DROP
    >> -A LOGACCEPT -j ULOG --ulog-prefix "ACCEPT: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A LOGACCEPT -j CONFIRMED
    >> -A LOGDROP -j ULOG --ulog-prefix "DROP: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A LOGDROP -j DROP
    >> -A LOGREJECT -j ULOG --ulog-prefix "REJECT: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A LOGREJECT -j REJECT --reject-with icmp-port-unreachable
    >> -A OUTPUT -o lo -j ACCEPT
    >> -A OUTPUT -m confirmed ERROR: UNKNOWN CONNMARK MATCH MODE -j ACCEPT
    >> -A OUTPUT -m state --state RELATED -j CONFIRMED
    >> -A OUTPUT -j HA
    >> -A OUTPUT -j SANITY_CHECKS
    >> -A OUTPUT -j AUTO_OUTPUT
    >> -A OUTPUT -j USR_OUTPUT
    >> -A OUTPUT -j LOGDROP
    >> -A PSD_ACTION -j ULOG --ulog-prefix "PORTSCAN: " --ulog-cprange 40
    >> --ulog-qthreshold 50
    >> -A PSD_ACTION -j DROP
    >> -A PSD_MATCH -m psd --psd-weight-threshold 21 --psd-delay-threshold 300
    >> --psd-lo-ports-weight 3 --psd-hi-ports-weight 1 -j PSD_ACTION
    >> -A SANITY_CHECKS -p tcp -m tcp --sport 21 --dport 1:65535 --tcp-flags
    >> SYN,RST,ACK RST -m state --state INVALID -j ACCEPT
    >> -A SANITY_CHECKS -p tcp -m state --state NEW -j STRICT_TCP_STATE
    >> -A SANITY_CHECKS -p tcp -m tcp --sport 1:65535 --dport 21 -m state
    >> --state INVALID -j REJECT --reject-with tcp-reset
    >> -A SANITY_CHECKS -p tcp -m state --state INVALID -j INVALID_PKT
    >> -A SPOOFING_PROTECTION -s 192.168.2.5 -i eth0 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -d 192.168.2.5 -i ! eth0 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth0 -j
    >> SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth0 -j
    >> SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 192.168.1.1 -i eth1 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -d 192.168.1.1 -i ! eth1 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth1 -j
    >> SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 69.20.153.128/255.255.255.240 -i eth1 -j
    >> SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 69.20.153.137 -i eth2 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -d 69.20.153.137 -i ! eth2 -j SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 192.168.2.0/255.255.255.0 -i eth2 -j
    >> SPOOF_DROP
    >> -A SPOOFING_PROTECTION -s 192.168.1.0/255.255.255.0 -i eth2 -j
    >> SPOOF_DROP
    >> -A SPOOF_DROP -j ULOG --ulog-prefix "IP-SPOOFING DROP: " --ulog-cprange
    >> 40 --ulog-qthreshold 50
    >> -A SPOOF_DROP -j DROP
    >> -A STRICT_TCP_STATE -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j RETURN
    >> -A STRICT_TCP_STATE -p tcp -j INVALID_PKT
    >> -A STRICT_TCP_STATE -p tcp -j DROP
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 80 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 20:21 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 21 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 443 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 110 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 25 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 23 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.100 -p tcp -m
    >> tcp --sport 1024:65535 --dport 143 -j CONFIRMED
    >> -A USR_FORWARD -p tcp -m tcp --sport 1:65535 --dport 53 -j CONFIRMED
    >> -A USR_FORWARD -p udp -m udp --sport 1:65535 --dport 53 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    >> -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1:65535 --dport 25
    >> -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 110 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 110 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 2703 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    >> 1:65535 --dport 2703 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1:65535 --dport 2703 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p udp -m udp --sport
    >> 1:65535 --dport 2703 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    >> 143 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.100 -p tcp -m tcp --sport 1024:65535 --dport
    >> 143 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 80 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 20:21 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.110 -p tcp -m tcp --sport 1024:65535 --dport
    >> 80 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 443 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.1.0/255.255.255.0 -p tcp -m tcp --sport
    >> 1024:65535 --dport 443 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --dport 22 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 25 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 10000 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 10000 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1024:65535 --dport 80 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 8000:8999 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 5500:5502 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 3306 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 3306 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.105 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.105 -p udp -m udp --sport 1:65535 --dport
    >> 4444 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 4441 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    >> 4242 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    >> 4242 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    >> 4441 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    >> 4441 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3001:3305 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3001:3305 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 4441 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 4441 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    >> 4242 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    >> 4242 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1:65535 --dport
    >> 4441 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1:65535 --dport
    >> 4441 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2100:2702 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2100:2702 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 3307:3999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 3307:3999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 1024:2099 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 1024:2099 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p tcp -m tcp --sport 2704:2999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -d 192.168.2.50 -p udp -m udp --sport 2704:2999 --dport
    >> 1:65535 -j CONFIRMED
    >> -A USR_FORWARD -p tcp -m tcp --sport 123 --dport 123 -j CONFIRMED
    >> -A USR_FORWARD -p udp -m udp --sport 123 --dport 123 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.2.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 2049 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 2049 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 514 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1:65535 --dport 5000 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 5000 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1:65535 --dport 514 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p tcp -m tcp --sport 1024:65535 --dport 389 -j CONFIRMED
    >> -A USR_FORWARD -s 192.168.2.0/255.255.255.0 -d 192.168.1.0/255.255.255.0
    >> -p udp -m udp --sport 1024:65535 --dport 389 -j CONFIRMED
    >> -A USR_INPUT -d 192.168.2.255 -j DROP
    >> -A USR_INPUT -d 192.168.1.255 -j DROP
    >> -A USR_INPUT -d 255.255.255.255 -j DROP
    >> COMMIT
    >> # Completed on Fri Jul 21 01:30:07 2006
    >>
    >>
    >> ip addr --->
    >> 1: lo: mtu 16436 qdisc noqueue
    >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    >> inet 127.0.0.1/8 scope host lo
    >> 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
    >> link/ether 00:01:02:66:65:9a brd ff:ff:ff:ff:ff:ff
    >> inet 192.168.2.5/24 brd 192.168.2.255 scope global eth0
    >> 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
    >> link/ether 00:08:c7:5b:26:09 brd ff:ff:ff:ff:ff:ff
    >> inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    >> 4: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
    >> link/ether 00:50:8b:0e:07:a2 brd ff:ff:ff:ff:ff:ff
    >> inet 69.20.153.137/28 brd 69.20.153.143 scope global eth2
    >> ********* end
    >>
    >> ifconfig -a ----->
    >> eth0 Link encap:Ethernet HWaddr 00:01:02:66:65:9A
    >> inet addr:192.168.2.5 Bcast:192.168.2.255 Mask:255.255.255.0
    >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    >> RX packets:43248768 errors:4 dropped:0 overruns:0 frame:4
    >> TX packets:35972974 errors:0 dropped:0 overruns:0 carrier:0
    >> collisions:0 txqueuelen:1000
    >> RX bytes:3994495514 (3809.4 Mb) TX bytes:2463271557
    >> (2349.1 Mb)
    >> Interrupt:169 Base address:0xdc00
    >>
    >> eth1 Link encap:Ethernet HWaddr 00:08:C7:5B:26:09
    >> inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    >> RX packets:6956097 errors:0 dropped:0 overruns:0 frame:0
    >> TX packets:10514182 errors:0 dropped:0 overruns:0 carrier:0
    >> collisions:0 txqueuelen:1000
    >> RX bytes:111359643 (106.2 Mb) TX bytes:2215921769 (2113.2 Mb)
    >>
    >> eth2 Link encap:Ethernet HWaddr 00:50:8B:0E:07:A2
    >> inet addr:69.20.153.137 Bcast:69.20.153.143
    >> Mask:255.255.255.240
    >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    >> RX packets:30327796 errors:0 dropped:0 overruns:0 frame:0
    >> TX packets:32818577 errors:0 dropped:0 overruns:0 carrier:0
    >> collisions:294358 txqueuelen:1000
    >> RX bytes:2949179609 (2812.5 Mb) TX bytes:1976098120
    >> (1884.5 Mb)
    >>
    >> lo Link encap:Local Loopback
    >> inet addr:127.0.0.1 Mask:255.0.0.0
    >> UP LOOPBACK RUNNING MTU:16436 Metric:1
    >> RX packets:6116295 errors:0 dropped:0 overruns:0 frame:0
    >> TX packets:6116295 errors:0 dropped:0 overruns:0 carrier:0
    >> collisions:0 txqueuelen:0
    >> RX bytes:1516135054 (1445.8 Mb) TX bytes:1516135054
    >> (1445.8 Mb)
    >>
    >> *************end
    >>
    >> The purpose of listing my current config was to give anyone else an idea
    >> of what i am now using (like to suggest just a iptables based solution
    >> vs a larger cisco pix box, of witch would be over kill for my use) I
    >> would like to switch to a different one but I would like some opinions
    >> of what you have used and are happy with Vs getting a beta and having
    >> security breaches, or if you could help me fix this one I would be very
    >> appreciative.
    >>
    >> Chris
    >>
    >>
    >>

    >



    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

+ Reply to Thread