Re: ipchains/ipmasq/List of Ports/Exim
See below.
At 01:50 PM 11/10/00 +0000, Michael Boyd wrote:
>The info. you've kindly provided since my first mail has been most
>helpful thanks. I am intending to rebuild by debian box over the
>weekend with the bare necessities in terms of packages and modules and
>with a 100MB HD rather than 500MB.
>
>Before installing ipmasq I entered 'ipchains -nL' and received what I
>expected, i.e. a return listing the 3 chains and not much else. After
>installing and starting ipmasq the same command returns a much longer
>list with more information. Does this mean that both ipchains and
>ipmasq affect a single 'service' underlying them both? I read an
>article last night referring to MASQ in ipchains commands, is that what
>ipmasq is activating?
Sort of. ipchains is the userspace utility for controlling the portion of
the kernel that does packet filtering. That portion can, roughly speaking,
do any of 4 things with respect to a packet:
ACCEPT (let it go through),
REJECT (don't let it go through, and tell the originator),
DENY (don't let it go through, and don't tell the originator)
MASQ (masquerade it)
The ipchains command is the basic command for manipulating this table.
ipmasq is a "wrapper" package that constructs a useful ruleset for a
firewall and runs ipchains to implement it. The man page for ipmasq will
tell you more.
>Assuming my rebuild goes ok I intend to start planning the rules to give
>my FW. Can anyone point me in the direction of a list of which ports do
>what? I know 23 is telnet from a magazine article but that's about all.
As others have said, /etc/services is that basic source of this information.
>
>My reason for asking about exim in my last message was perhaps not as
>clear as it might have been. I had 2 reasons for asking; 1) I was
>wondering if exim is an appropriate tool for making the logs on my FW
>available to a masqed box as emails,
It can be used for this purpose. Any MTA can.
>and 2) If root generates emails
>routinely (excuse my lack of knowledge but I don't know if it does) I
>had a thought lurking in my mind that they could pile up and fill what
>remains of my 100MB drive.
"root" is an account and, as such, does not "generate" email. It does
receive e-mail, which you can easily forward to another host using exim or
any sendmail-like MTA. On my routers, buildup of e-mail isn't a problem in
practice.
>With the file system full I guess the FW box
>would protest and in effect I would have done a DoS on myself. If I am
>talking rubbish, please tell me, but not all at once! :-)
Not rubbish -- when the filesystem is small, you have to pay attention to
these issues. Probably buildup of logs, if you do a lot of packet logging,
is more of a concern than buildup of e-mail.
>One last thing, which packages do I need to access my FW using ssh?
ssh . You need to get it from a non-US Debian archive.
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA ray@comarre.com
----------------------------------------------------------------
Reply to: