[Firehol-support] dns?
Rick Marshall
rjm at zenucom.com
Wed May 4 08:32:24 BST 2005
Goetz Bock wrote:
>On Wed, May 04 '05 at 12:29, Rick Marshall wrote:
>
>
>>interface eth1 inet src "${access_ip}"
>> protection strong 100/sec 200
>> policy reject
>> server "${services}" accept
>> client all accept
>>
>>
>>
>
>try this:
>
>interface eth1 inet
> protection strong 100/sec 200
> policy reject
> server "${services}" accept src "${access_ip}"
> client all accept
>
>
<snip />
thanks for that - don't quite understand why it works better, but it does.
i've changed policy to drop - basically i don't want all those chinese
hackers logged, don't want to tell them we're there, just want to ignore
them. their problem if they have long timeouts ;)
behind the firewall is a small office network (192.168.5.0/24). it seems
to work ok, but im still getting this in the logs:
May 4 15:25:31 china kernel: PASS-unknown:IN=eth0 OUT=eth1
SRC=192.168.5.247 DST=65.54.194.118 LEN=40 TOS=0x00 PREC=0x00 TTL=127
ID=53511 DF PROTO=TCP SPT=2854 DPT=80 WINDOW=16688 RES=0x00 ACK FIN URGP=0
which looks like someone trying to get a web page, but i checked with
them and they can browse the internet ok.
i have:
router office2inet inface eth0 outface eth1
route all accept
which i thought would pass all traffic?
rick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050504/84c38bbe/attachment-0003.vcf>
More information about the Firehol-support
mailing list