Author Topic: ZTL inside NAT  (Read 11137 times)

Offline rgreene501

  • Comodo Loves me
  • ****
  • Posts: 180
  • Life is too short to drink cheap beer
ZTL inside NAT
« on: August 23, 2006, 10:43:08 PM »
The default iptables rules block input from private networks.  Not so cool when your interface sits on a 172.17. block.  Easy to fix, but could the installer be modified to accomodate this?  The interface is defined early in the installation, before anything is written to disk other than the file systems.

I understand the rationale, but we block these at the router anyway.
Pull my finger for my public key

Offline vadim

  • Comodo's Hero
  • *****
  • Posts: 257
Re: ZTL inside NAT
« Reply #1 on: August 28, 2006, 09:31:53 AM »
Hello!
You should only disable option 'Drop all packets from private reserved networks'  on the ZTL Firewall module index page.

Offline rgreene501

  • Comodo Loves me
  • ****
  • Posts: 180
  • Life is too short to drink cheap beer
Re: ZTL inside NAT
« Reply #2 on: August 28, 2006, 02:11:05 PM »
Vadim,

Thank you for the response.

I saw the option and that works for my purpose, but was curious about modifying the installer to accomodate private networks with greater granularity.

If I'm on a 192.168.0/24 it would be nice to still block the rest of that /16 as well as 172.16/12 and 10/8.  I see no method in the ZTL admin panel to define these blocks for exclusion or to create specific drop rules either by service or address.

As I said in my previous post, we drop these packets at the router anyway, so for this network, it's unneccessary.  I'm just curious.
Pull my finger for my public key

Offline vadim

  • Comodo's Hero
  • *****
  • Posts: 257
Re: ZTL inside NAT
« Reply #3 on: August 30, 2006, 03:56:26 AM »
 ZTL Firewall drops all packets from private reserved networks (if option is enabled):
A: 10.0.0.0/8
B: 172.16.0.0/16-172.31.0.0/16
C: 192.168.0.0/24-192.168.255.0/24
It's possible to create specific rules for each of blocks, but it'll complicate Firewall interface very much.

Offline rgreene501

  • Comodo Loves me
  • ****
  • Posts: 180
  • Life is too short to drink cheap beer
Re: ZTL inside NAT
« Reply #4 on: August 30, 2006, 03:28:29 PM »
Vadim,

I can appreciate the complpexity and don't mind building rules myself.  I just don't want to break ZTL in the process.

Is there documentation regarding what is safe to modify manually?  I've already been bitten by creating a user via smbpasswd and it killed the ability to create a domain.
Pull my finger for my public key

Offline vadim

  • Comodo's Hero
  • *****
  • Posts: 257
Re: ZTL inside NAT
« Reply #5 on: September 01, 2006, 02:43:27 AM »
 Hello!

 We still don't have Firewall documentation (in development). (:SAD)

 All ZTL Firewall rules are saved in the /etc/sysconfig/iptables-ipv4.d/ztl-rules.sh. We don't recommend to edit this file mannually. If you want to use more complete rules you should:
1. Backup and delete /etc/sysconfig/iptables-ipv4.d/ztl-rules.sh
2. Add new rules in to the file /etc/sysconfig/iptables-ipv4.d/start.
3. Restart Firewall (service iptables restart)

Offline rgreene501

  • Comodo Loves me
  • ****
  • Posts: 180
  • Life is too short to drink cheap beer
Re: ZTL inside NAT
« Reply #6 on: September 01, 2006, 03:30:10 AM »
Thanks for the tip Vadim,

I had been modifying ztl-rules.sh to accomodate my needs.  I'll rename the file and restart.

As for firewall documentation...  I don't really need an iptables tutorial.  I just need to know what may be modified without breaking the ZTL management interface.

Regards,
BobG
Pull my finger for my public key

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek