Samba and firewall in the same box?

[Glenn Burkhardt]

On Samba, note that using netgroup for 'hosts allow' doesn't work, due to
(numerous) bugs in the glibc libraries (FSF re-inventing the wheel, again).

There are, of course, a bunch of things one can do to beef up one's 
firewall (read the excellent IP-Chains HOWTO.  Here's my current setup:

echo 'enable IP masquerading'

# anti-spoofing packet filtering based on source 
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

# Masquerading rules ...
ipchains -P forward DENY
ipchains -A forward -s 192.168.0.0/255.255.255.0 -j MASQ
ipchains -A forward -s 192.168.204.0/255.255.255.0 -j MASQ

# Services we want to have from internal sources but not from the cold, cruel
# world....
ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 login -j DENY
ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 exec -j DENY
ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 shell -j DENY
ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 pop-3 -j DENY
ipchains -A input -i ppp0 -p tcp -d 999.999.999.999 imap3 -j DENY
ipchains -A input -i ppp0 -p udp -d 999.999.999.999 pop-3 -j DENY
ipchains -A input -i ppp0 -p udp -d 999.999.999.999 imap3 -j DENY

# Ok, rules in place, turn it on
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_masq_ftp


I'm not sure what one does without a static IP address for the firewall, 
though.  The pppd has some options for doing things once a demand mode link
goes up.... 

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).