From: yciw@valcea.ro
Date: Tue Sep 19 2000 - 11:25:37 EEST
>Ok, you're the second reply, but missing the point...
>
> The protocol is 4, but the port number used is a
> different quantity, i.e. ftp=21, smtp=25, telnet=23,
> ssh=22, http=80, etc....
>
>I can block within the firewall based on protocol, ip
>address, *and* port number. I don't trust any form of
>NOS to perform this function.
The concept of a port number is only valid for TCP and UDP
inside IP. When IP is in IP there is no need to specify
port numbers to allow through the firewall AT THIS STAGE.
Once the IP in IP has been detunneled then you end up with
TCP or UDP in IP and a new set of rules apply to this traffic.
So if you are receiving IPIP then you need two sets of rules.
The first set only filters IP addresses on the IPIP traffic
on the interface the IPIP is arriving on, then another set of
rules are needed to filter the TCP/UDP-IP traffic in the same
was as traffic arriving normally, but this time it is arriving
from itself.
I have a feeling that the new firewalling in kernel 2.4 might
be better suited to this over the ipchains stuff in 2.2.
-
To unsubscribe from this list: send the line "unsubscribe linux-hams" in
the body of a message to yawlpqdo.lxidguavzt@ipvh.com
This archive was generated by hypermail 2b29 : Tue Sep 19 2000 - 11:26:34 EEST