Firewall question - OS2

This is a discussion on Firewall question - OS2 ; I have been wanting to setup the firewall so that the 2nd NIC in the computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the outside world and nothing else at all. The computer has 2 NICS ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Firewall question

  1. Firewall question

    I have been wanting to setup the firewall so that the 2nd NIC in the
    computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    outside world and nothing else at all.

    The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    to have the 192.168 interface secured. Don't care about the 10.10
    interface. Routing is all setup and currently both interfaces have
    internet access. I have the firewall operating as pass everything at the
    moment.

    I have not been able to get my head around the the firewall rules to
    achieve the above result.


    If anyone here in the group could suggest a rule set for the above setup
    I would be very grateful.

    BruceD

  2. Re: Firewall question

    On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:

    > I have been wanting to setup the firewall so that the 2nd NIC in the
    > computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    > outside world and nothing else at all.
    >
    > The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    > to have the 192.168 interface secured. Don't care about the 10.10
    > interface. Routing is all setup and currently both interfaces have
    > internet access. I have the firewall operating as pass everything at the
    > moment.
    >
    > I have not been able to get my head around the the firewall rules to
    > achieve the above result.
    >
    >
    > If anyone here in the group could suggest a rule set for the above setup
    > I would be very grateful.
    >
    > BruceD


    User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)

    This is not a 'doze NG.

    Pete

    --


  3. Re: Firewall question

    On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:

    > I have been wanting to setup the firewall so that the 2nd NIC in the
    > computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    > outside world and nothing else at all.
    >
    > The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    > to have the 192.168 interface secured. Don't care about the 10.10
    > interface. Routing is all setup and currently both interfaces have
    > internet access. I have the firewall operating as pass everything at the
    > moment.
    >
    > I have not been able to get my head around the the firewall rules to
    > achieve the above result.
    >
    >
    > If anyone here in the group could suggest a rule set for the above setup
    > I would be very grateful.


    Which version of the OS/2 operating system are you running?
    --
    Message sent VIA Followup and E-Mail --


  4. Re: Firewall question

    Bob Eager wrote:
    > On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:
    >
    >> I have been wanting to setup the firewall so that the 2nd NIC in the
    >> computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    >> outside world and nothing else at all.
    >>
    >> The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    >> to have the 192.168 interface secured. Don't care about the 10.10
    >> interface. Routing is all setup and currently both interfaces have
    >> internet access. I have the firewall operating as pass everything at the
    >> moment.
    >>
    >> I have not been able to get my head around the the firewall rules to
    >> achieve the above result.
    >>
    >>
    >> If anyone here in the group could suggest a rule set for the above setup
    >> I would be very grateful.

    >
    > Which version of the OS/2 operating system are you running?


    I have WSEB installed. Latest fixes etc.. (:

  5. Re: Firewall question

    On Sun, 4 May 2008 11:55:33 UTC, user@domain.invalid wrote:

    > Bob Eager wrote:
    > > On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:
    > >
    > >> I have been wanting to setup the firewall so that the 2nd NIC in the
    > >> computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    > >> outside world and nothing else at all.
    > >>
    > >> The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    > >> to have the 192.168 interface secured. Don't care about the 10.10
    > >> interface. Routing is all setup and currently both interfaces have
    > >> internet access. I have the firewall operating as pass everything at the
    > >> moment.
    > >>
    > >> I have not been able to get my head around the the firewall rules to
    > >> achieve the above result.
    > >>
    > >>
    > >> If anyone here in the group could suggest a rule set for the above setup
    > >> I would be very grateful.

    > >
    > > Which version of the OS/2 operating system are you running?

    >
    > I have WSEB installed. Latest fixes etc.. (:


    OK....have you seen...

    http://www.tavi.co.uk/os2pages/firewall.html

    There is also a good document on Hobbes - look for firewall_doc_v14.zip



  6. Re: Firewall question

    On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:

    > I have been wanting to setup the firewall so that the 2nd NIC in the
    > computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    > outside world and nothing else at all.
    >
    > The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    > to have the 192.168 interface secured. Don't care about the 10.10
    > interface. Routing is all setup and currently both interfaces have
    > internet access. I have the firewall operating as pass everything at the
    > moment.
    >
    > I have not been able to get my head around the the firewall rules to
    > achieve the above result.


    This is off the top of my head, so take it with a grain of salt, but I think
    the following is the right idea...

    permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 21 non-secure
    both both
    permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 53 non-secure
    both both
    permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 80 non-secure
    both both


    And make sure you have the IP address of the 10.10.x.y NIC defined in
    %ETC%\fwsecad.cnf (or else these rules will be applied to both NICS).


    --
    Alex Taylor
    Fukushima, Japan
    http://www.socis.ca/~ataylo00

    Please take off hat when replying.

  7. Re: Firewall question

    Alex Taylor wrote:
    > On Sun, 4 May 2008 05:28:30 UTC, user@domain.invalid wrote:
    >
    >> I have been wanting to setup the firewall so that the 2nd NIC in the
    >> computer can only access ports 21 [ftp], 80 [http], 53 [dns] on the
    >> outside world and nothing else at all.
    >>
    >> The computer has 2 NICS installed 192.168.0.0 & 10.10.0.0. I would like
    >> to have the 192.168 interface secured. Don't care about the 10.10
    >> interface. Routing is all setup and currently both interfaces have
    >> internet access. I have the firewall operating as pass everything at the
    >> moment.
    >>
    >> I have not been able to get my head around the the firewall rules to
    >> achieve the above result.

    >
    > This is off the top of my head, so take it with a grain of salt, but I think
    > the following is the right idea...
    >
    > permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 21 non-secure
    > both both
    > permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 53 non-secure
    > both both
    > permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 all any 0 eq 80 non-secure
    > both both
    >
    >
    > And make sure you have the IP address of the 10.10.x.y NIC defined in
    > %ETC%\fwsecad.cnf (or else these rules will be applied to both NICS).
    >

    Thanks so much Alex for your input. Your train of thought was what I
    had thought too. Time to rethink all of this.

    Here is what I came up with and this does work the way I wanted it to. YMMV

    permit 0.0.0.0 0 0.0.0.0 0 all any 0 any 0 non-secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 icmp any 0 any 0 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 udp any 0 any 53 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp any 0 eq 20 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp eq 20 any 0 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp any 0 eq 21 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp eq 21 any 0 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 udp any 0 eq 67 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 udp eq 68 any 0 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp any 0 eq 80 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp eq 80 any 0 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp any 0 eq 3128 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp eq 3128 any 0 both both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp any 0 eq 5900 secure both both l=no f=yes
    permit 0.0.0.0 0 0.0.0.0 0 tcp eq 5900 any 0 secure both both l=no f=yes

    I would have thought that I would not have to have had 'in and out'
    rule defined for the TCP protocols. I guess because UDP is a stateless
    TCP is not.

    The odd one out here is that I had to define a rule for the VNC server.
    My lan0 10/100 mb interface is the secured 10.10.10.0 interface whilst
    lan1 1gb interface is the one open to the world [so to speak]. Unless
    the port is open on the lan0 interface I cannot connect to the VNC
    server on the computer even if I am coming in via the lan1 interface.
    Lan1 is allowed to pass eveything as per the 1st rule.

    I had to open the 5900 port on the lan0 interface even though nothing is
    blocked on the lan1 interface VNC must listen on lan0 1st

    route -fh
    arp -f
    ifconfig lo 127.0.0.1
    ifconfig lan0 10.10.10.10 netmask 255.255.255.0 metric 1 mtu 1500
    rem ifconfig lan0 10.10.10.254 netmask 255.255.255.0 alias
    ifconfig lan1 192.168.5.10 netmask 255.255.255.0 metric 1 mtu 1500
    route add default 192.168.5.254 -hopcount 1 -mtu 1500
    ipgate on

    To fix the VNC problem I will have to reconfigure via MPTS and make the
    lan0 the 1gb NIC as the 1st one in the setup.


  8. Re: Firewall question

    BruceD wrote:
    > The odd one out here is that I had to define a rule for the VNC server.
    > My lan0 10/100 mb interface is the secured 10.10.10.0 interface whilst
    > lan1 1gb interface is the one open to the world [so to speak]. Unless
    > the port is open on the lan0 interface I cannot connect to the VNC
    > server on the computer even if I am coming in via the lan1 interface.
    > Lan1 is allowed to pass eveything as per the 1st rule.


    Since I set up some firewall rules for my external NIC, I cannot connect
    anymore to the VNC server, neither from the outside or from the inside
    of the private net, even if ports 5800 and 5900 are wide open in both NICs

    So I am very interested to know how you solve the problem

    Piersante


  9. Re: Firewall question

    piesse wrote:
    > BruceD wrote:
    >> The odd one out here is that I had to define a rule for the VNC server.
    >> My lan0 10/100 mb interface is the secured 10.10.10.0 interface whilst
    >> lan1 1gb interface is the one open to the world [so to speak]. Unless
    >> the port is open on the lan0 interface I cannot connect to the VNC
    >> server on the computer even if I am coming in via the lan1 interface.
    >> Lan1 is allowed to pass eveything as per the 1st rule.

    >
    > Since I set up some firewall rules for my external NIC, I cannot connect
    > anymore to the VNC server, neither from the outside or from the inside
    > of the private net, even if ports 5800 and 5900 are wide open in both NICs
    >
    > So I am very interested to know how you solve the problem
    >
    > Piersante
    >


    Using the rules mentioned, VNC is working fine from either the outside
    world or LAN to LAN. Sorry I cannot suggest anything further.

+ Reply to Thread