IPFWADM FAQ - Frequently asked questions by DREAMWVR.COM dreamwvr@dreamwvr.com This document is a list of Frequently Asked Questions (with the hopefully correct answers) about IPFWADM. 1. Meta-questions 1.1 Where do I get this document? 1.2 Where do I send questions, corrections etc. about this document? 2. IPFWADM Basics 2.1 What is ipfwadm? 2.2 Why should I use it? 2.3 What kinds of attacks does ipfwadm protect against? 2.4 What kind of attacks does ipfwadm not protect against? 2.5 How does it work? 3. Obtaining and installing ipfwadm 3.1 What is the latest version of ipfwadm? 3.2 May I legally run ipfwadm? 3.3 What about commercial use of ipfwadm? 3.4 Where can I obtain ipfwadm? 3.5 How do I install it? 3.6 Does it make sense to install ipfwadm if i am using UNIX? 3.7 Where do I get help? 3.8 Are there any versions for other operating systems than Linux? 3.9 What about accounting of ipfwadm? 4. ipfwadm Usage 4.1 How do i see a detailed analysis of my rules for masquerading? 4.2 How do i check to see if a specific packet would be accepted, denied, or rejected by one of my specific firewalls? 4.3 What is the difference between rejecting and denying a packet in regards to the use of ipfwadm? 4.4 How do i enable ip forwarding from the command line? 4.5 How do i make IP forwarding automatically enabled upon bootup... whatever that is on Linux? 4.6 Where exactly do i place my ipfwadm rules that i wish to have run when i bring up my system so they run without intervention? 4.7 Why doesn't my browser's ftp work for me when i can access ok from other ftp clients and the command line just fine? 4.8 Can I use ipfwadm to protect services like ftp or POP? 4.9 Why is it important that i for me to start by denying access to literally all the firewalls that are controlled by ipfwadm? 4.10 Can you present a basic example for analysis? 5. Problems 5.1 Are there known compiling problems with ipfwadm? 5.2 Does glibc2 cause problems? 5.3 Are there any problems with transparent proxy? 6. Miscellaneous 6.1 What known security bugs exist in which versions of ipfwadm? 6.2 How widespread is use of ipfwadm? 6.4 Credits Atoms Forwarded by dreamwvr.com 1. IPFWADM Meta-questions Chapter 1 ===================================================================================== 1.1 Where do I get this document? The latest version of this document is available from http://www.dreamwvr.com/ipfwadm/ipfwadm-faq.html . It can also be posted, on a regular basis, to the Usenet newsgroups comp.security.misc, comp.security.unix, sci.crypt, comp.answers, sci.answers and news.answers. This version can be, and will be available from http://www.fwtk.org/ipfwadm/faq/ and from http://www.dreamwvr.com/ipfwadm-faq/ipfwadm-faq.faq . Also of interest is the FWTK.ORG home page, at http://www.fwtk.org/ . 1.2 Where do I send questions, corrections etc. about this document? Please send them to the maintainer, dreamwvr@dreamwvr.com Chapter 2 ===================================================================================== 2. IPFWADM basics Contents of this section 2.1 What is ipfwadm? To quote the author of the %man ipfwadm Ipfwadm is used to set up, maintain, and inspect the IP firewall and accounting rules in the Linux kernel. These rules can be divided into four different catagories: accounting of IP packets, the IP input firewall, the IP output firewall, and the IP forwarding firewall. For each of these catagories, a separate list of rules is maintained. See ipfw(4) for more details. It should be noted that when combined with various other firewalling technologies including fwtk it can create a very robust, secure, firewall device. It is important to mention that it unto itself is a very flexible single technology firewalling solution. When combined with fwtk which operates at the application level it becomes even more powerful. 2.2 Why should I use it? Traditional routers are vulnerable to different kinds of attacks. Somebody who has access to machines on the Internet, in any fashion, can gain unauthorized access to your systems in a multitude of ways. It is also possible for such a person to destroy or alter at will any unprotected areas of your network. 2.3 What kinds of attacks does ipfwadm protect against? ipfwadm protects against: IP spoofing, this is where a host from the void sends out packets which claim to come from an inside trusted host. Source Routing, where a intruder mimics an IP packet comes from a trusted system. It can explicitely deny specific hosts from accessing services as well as trusted hosts from accessing untrusted sites. By directing flow of ip packets be it tcp, udp, icmp it can control the flow of data in any direction customized depending upon your specific needs. To encapsulate it can act as a walling off point to all the services based on tcp, udp, or icmp that your network offers or allows access to from your network. 2.4 What kind of attacks does ipfwadm not protect against? ipfwadm will not protect you from attacks based on weaknesses inherent in clear text based services for those you will be required to utilize encryption. It will also not protect you from malicious after authentication attacks. So be wise and use a secure authentication system that is unpredictable and hopefully more difficult to crack. If you allow user services on the firewall that is running ipfwadm then all bets are off as each service provided increases the odds of compromise. One needs only look at the serious issues that unaddressed holes in exploder have surfaced to understand the security issues involved. In fact security administrators should seriously consider not allowing any service that you do not understand the implications of providing. Since this is sometimes unrealistic consider this if for instance you offer net meeting without analysing exactly how it provides service then you are dead in the water before you begin. In conclusion any service that you offer through your firewall can only be as secure as the service itself is... If in doubt deny access to it. Plus if you are lost with which services to run through the firewall with a personal inventory of a secure solution beyond your time or means then do not allow it or face the consequences. Perhaps a better solution if this is the case is to contact a professional whose business is computer security. 2.5 How does it work? For more extensive information, please refer to the ipfwadm and ipfw man files. IPFWADM works by analysing the packets flowing either into your network or flowing out of your network and applying a series of rules depending on what specific action the IP packet is taking. The actual firewall is divided into 4 action specific modules each responsible for a specific purpose. The 4 components are divided as follows: 1- a rules based input firewall module for tcp, udp, and icmp related packets 2- a rules based output firewall module for tcp, udp, and icmp related packets 3- a rules based forwarding firewall module for tcp, udp, and icmp related packets 4- a rules based accounting firewall module for recording tcp, udp, and icmp related packets By manipulating the using of these above rules the firewall administrator controls the personality of the firewall explicitely. Chapter 3 ===================================================================================== Beginning of Chapter 3 3. Obtaining and installing ipfwadm Contents of this section 3.1 What is the latest version of ipfwadm? The latest officially released version is is 2.3.0-1 at the time of this writing. ipfwadm or variant currently runs on Linux or on FreeBSD as ipfw. It has probably also been ported to other Unix systems as the source is freely available. If so please contact the author of this faq so that others may benefit from this knowledge. It is available at the originators website in either a *.tar.gz or *.rpm format so choose your flavour. 3.2 May I legally run ipfwadm? The Linux version of ipfwadm 2.3.0-1 may be used and distributed freely under GPL but for details of any issues related please consult the authors of the utility at http://www.xos.nl/linux/ipfwadm/ who should be considered more definative than this faq if any conflict arises. 3.3 What about commercial use of ipfwadm? ipfwadm is freely distributed under GNU General Public License so please give credit where due to jos@xos.nl, and almost certainly will remain to be so in future. Read 'COPYING' for a copy of GNU GPL. 3.4 Where can I obtain ipfwadm? The central site for distributing ipfwadm is ftp://ftp.xos.nl/pub/linux/ipfwadm/ . Some mirrors may be available please email the author of this document should you become aware of it to append to this list. :')) 3.5 How do I install it? Get the file from a site near you, then unpack it with gzip -c -d ipfwadm_2_3_0_tar.gz | tar xvf - or if you are using the .rpm then do a: #rpm -ivh ipfwadm-whatever-rpm-number.rpm then change into the directory ipfwadm-whatever# if building from *.tar.gz, read the file README, and follow the directions in it. 3.6 Does it make sense to install ipfwadm as root under UNIX? You should install and run a ipfwadm binary as owned by root, with a group of root. Specifically chmod it to 755. 3.7 Where do I get help? First of all, read the README included which should answer any questions you have regarding the building and compiling of ipfwadm. Then read the mans included which are named:ipfwadm as well as:ipfw Then and only then either contact the author of this document (which is probably not the best idea due to this author receiving 300 - 500 emails daily) or you might try either Usenet, fwtk.org, or the author of the program. It is suggested that if you request assistance please have details of the specific problem. Note exhaust as many possibilities as possible before asking for help and consult the search engines/archives to see if the answer is blowing in the cyberwind:')) If these resources don't help, you can post to the Usenet newsgroup comp.security.linux or send mail to the appropriate mailing list for ipfwadm users. 3.8 Are there any versions for other operating systems than Linux? AFAIK other than Linux the only other confirmed version that ipfwadm has been ported to is FreeBSD although as ipfw. 3.9 What about accounting of ipfwadm? All firewall components can be monitored either in real time and/or via recording to wherever you decide to place logs. This means that you can account for literally all packets of tcp, udp, or icmp variety at will. A example of two will be provided in this document. Chapter 4 ===================================================================================== Beginning of Chapter 4 4. ipfwadm Usage Content of this Chapter 4.1 How do i see a detailed analysis of my rules for masquerading? There are really two ways that i am aware of the first will give you the masquerading connections. in order to see this use: %netstat -M see man for further details... The second option you have available to you that gives you a bird's eye view of the rules in action is to do a: #ipfwadm -Fnle This will give you for instance a view of all your -[F]orwarding packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format. #ipfwadm -Inle This will give you for instance a view of all your -[I]coming packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format. #ipfwadm -Onle This will give you for instance a view of all your -[O]utgoing packet rules in [e]xtended format with interface address included plus rule options. The -[n] will force ipfwadm to display all addresses and port numbers in numeric format. 4.2 How do i check to see if a specific packet would be accepted, denied, or rejected by one of my specific firewalls? You would use the -[c] switch to [c]heck if packet handling information is correct. Note the prompt is intuitive so it will prompt you for any missing switches. For an example of i wished to determine whether a my incoming from a specific ip address, a specific port, and interface was being accepted by my firewall, denied, or rejected i might do a: #ipfwadm -c -I -P udp -V 192.168.100.100 -W eth0 -S 192.168.100.200 1024 -D 192.168.100.100 53 Since the -[c] switch requires a firewall to look @ you first need to determine which firewall you wish to check up on. In this example I wish to determine whether the udp protocol when [I]ncoming on interface eth0 which has a ip address of 192.168.100.100 streaming into port 53 originating from 192.168.100.200 on port 1024 is accepted, denied, or rejected. Thought i would never get through that without fragmenting;')) 4.3 What is the difference between rejecting and denying a packet in regards to the use of ipfwadm? ipfwadm allows you to use to methods to discard packets either deny or reject. Deny will simply out and out ignore that the packet ever existed not sending any indication to the packet originator. Whereas reject will send a ICMP host unreachable message back to the source of the transmission. Depending on what you wish to do knowing this will of course sway your opinion on what your specific policies should be. 4.4 How do i enable ip forwarding from the command line? IP forwarding can be enabled using the following syntax: #echo "1" > /proc/sys/net/ipv4/ip_forward 4.5 How do i make IP forwarding automatically enabled upon bootup... whatever that is on Linux? To set IP forwarding so that it is far more permanent goto your /etc/sysconfig/network and adjust your variable named 'FORWARD_IPV4=' to 'FORWARD_IPV4=true' and that's that. 4.6 Where exactly do i place my ipfwadm rules that i wish to have run when i bring up my system so they run without intervention? Place them in rc.local which is the last initialization file to be run on system bootup. You might append the following as a example to r.local . #first i set my default for ipfwadm... /sbin/ipfwadm -F -p deny #be certain to set default as fallover as well as consider that a bad configuration of #masquerading could allow anyone to masquerade from your system. /sbin/ipfwadm -F -a -m -S 192.168.100.0/24 -D 0/0 #this allows you to masquerade from your network to any ip address out there. Remember that #-a must be used when using -m and that masquerading. This example was thrown in just to show #you that you how feature rich this firewall is. /sbin/ifconfig eth0 192.168.100.1 #You won't get very far without this one... /sbin/route add -net 192.168.100.0 #add a route for this here network. Else packets won't know where to go. But we will... :')) #The very first task you have when you build ipfwadm and begin using it is to be certain that #you can ping anywhere you choose and all interfaces are up and routing. If you don't have that #together then you are way ahead of yourself. In this case that is not good... Then tighten the #firewalls right down loosening the vise when you grasp what exactly you are allowing here. 4.7 Why doesn't my browser's ftp work for me when i can access ok from other ftp clients and the command line just fine? This is due to the browser using PASV (passive mode) which requires access on the firewall in the range of 1024 and 5000. Your three options are one to use allow emphemeral inbound connections from these ports and call it a day. The second option is to use a standard ftp client that uses predictable ports and proxy it using fwtk's ftp-gw proxy to isolate it better. Then have the ftp proxy call the ftp server on behalf of your client rather than direct access per se. Your third option and the best probably the ringer is to blend both one and two. IOW allow inbound connections to emphemeral ports used by PASV and proxy those connections using fwtk as your final layer inbound into the ftp server. You will sleep nights better this way if you really need to allow ftp server access. At the time of this writing if you are using Exploder rather than Netscape then securing your firewalls is the least of your problems... 4.8 Can I use ipfwadm to protect services like ftp or POP? You can use ipfwadm to control the flow of any protocol that is tcp, udp, or icmp based. This means that anything that is standards based Internet services. 4.9 Why is it important that i for me to start by denying access to literally all the firewalls that are controlled by ipfwadm? As mentioned briefly earlier the firewalls that are manipulated by ipfwadm by default forward literally all packets. This means that any and all services pass via without any supervision or accounting. It also means that for all intents and purposes that before you go any further you have yourself a basic router period. If it helps think of it as a facet that is on full blast! Hence it is very important that you apply rules that deny access to any flow until you know exactly what your allowing and denying. It might be a good idea about now to write that down if you are going whole full blast as without a plan this is the wrong place to be. If you think not consider this... How much is the information your protecting worth? ...really worth. Enough said. 4.10 Can you present a basic example for analysis? Why sure... here it is take it for what it's worth. ############################################################################ #====================== IPFWADM RULES BASE ========================# #===================== [IPFWADM deny everything ] =======================# # #Here is where i begin my rules controling all incoming, outgoing, and forwarding of #packets great and small. So here is where i deny all period explicitely firewalls wide. ipfwadm -I -p deny #first like some people i know i deny everything incoming... ipfwadm -F -p deny #Then i deny all forwarding period... ipfwadm -O -p deny #Then to close everything off i deny all outgoing transmissions... #at this point i have the second best firewall ever made next to the one markus speaks of. #=========================[ Flush...All My Rules ]=========================# ipfwadm -I -f ipfwadm -F -f ipfwadm -O -f ipfwadm -A -f #here i start the slate clean. That way it build from here... #==========================[ Turning on the Tap ]=========================# #To recap i have denied all from all directions and have flushed all rules to start fresh ipfwadm -I -a accept -V 192.168.100.10 -S 192.168.100.0/24 -D 0/0 #the above allows for incoming packets to 192.168.100.10 from local network flowing anywhere #========================[ Spoof Checking below ]========================# #immediately below are my anti-spoofing reality check for any external interface traffic that #claims to be coming from inside the network... These are also logged and tracked ipfwadm -I -a deny -V ip_of__external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o #======================[ Friendly External Packets ]=========================# #any packet that flows in from my external most interface from the outside attempting access ipfwadm -I -a accept -V ip_of__external_perimeter_interface -S 0/0 \ -D ip_of__external_perimeter_interface/32 #the above is -D address is masked completely... #loopback can be your friend... your network of networks ;')) ipfwadm -I -a accept -V 127.0.0.1 -S 0/0 -D 0/0 #======================[ Local Network Control ]==========================# #Let just say for example that you wished to deny a certain ip from accessing a specific site #on company time. This could be expanded to cover a entire subnet, and is not limited to just #the -I as this example shows. Remember the reject switch will give your client a echo #ipfwadm -I -a reject -V ip_of__external_perimeter_interface -S 192.168.100.0/24 -D bad_ip/32 -o #======================[ Local Int -> Loco Net ]===========================# #here i declare to all that my locally internal trusted interface allows incoming packets from #local network going anywhere in Cyberverse. Which is larger than i can count... #ipfwadm -I -a accept -V ip_address_trusted_internal_trusted_interface -S 192.168.100.0/24 -D 0/0 #=========================[ Captain's Logs ]=============================# #here is my fall through rule to deny all others incoming and log associated unfriendly packets. ipfwadm -I -a deny -S 0/0 -D 0/0 -o #=====================[ Local Int to Local Net Calls ]========================# #here is where i allow any traffic flowing out from my local internal trusted interface to #travel from anywhere to my local network without any problems ipfwadm -O -V ip_address_trusted_internal_trusted_interface -S 0/0 -D 192.168.100.0/24 #===========================[ Source Route Check ]=======================# #get deny on anything that is flowing out of ip_of__external_perimeter_interface regardless #of where the packet originates sending packets towards internal network period and record ipfwadm -O -a deny -V ip_of__external_perimeter_interface -S 0/0 -D 192.168.100.0/24 -o #===========================[ Masquerading Relay ]=======================# #it is probably a real good idea to not allow any masquerading that you haven't authorized #therefore anything coming from internal network from ip _address_of_external_perimeter_interface #will be not allowed (denied) and logged for analysis ipfwadm -O -a deny -V ip _address_of_external_perimeter_interface -S 192.168.100.0/24 -D 0/0 -o #=========================[ Rejecting on Ext Interface ]=====================# #here i declare to all that my external untrusted interface rejects packets out from itself #to a specific ip address. Seems redundant when it could be done as easily on internal interface #but would not hurt anything and can be used to create a multi straining device per se plus log. ipfwadm -O -a reject -V ip _address_of_external_perimeter_interface \ -S ip _address_of_external_perimeter_interface -D bad_ip_address/32 -o #==========================[ Looping Ext Int Here ]=======================# #here the loopback microverse is allowed to continue to live on the external interface ipfwadm -O -a accept -V 127.0.0.1 -S 0/0 -D 0/0 #=========================[ Outgoing Allowed Here ]======================# #Any outgoing packet that gets this far should be considered routeable and allowed from #ip _address_of_external_perimeter_interface to continue on its merry way... better put if #it originates from ip _address_of_external_perimeter_interface and is flowing out from #ip _address_of_external_perimeter_interface to anywhere allow it now. ipfwadm -O -a accept -V ip _address_of_external_perimeter_interface \ -S ip _address_of_external_perimeter_interface -D 0/0 #===========================[ Logging Out Ext Int ]======================# #right about now i do what some people i know do and deny and log outgoing packets ipfwadm -O -a deny -S 0/0 -D 0/0 -o #==========================[ Masquerade if Needed ]=====================# #here is where i would install maquerading rules if i was doing many to one. If a reasonable #size network then you probably are not too concerned here and may leave commented #forwarding from local network and local interface going anywhere... if kernel not set to #masquerade then this won't work. Make sure forwarding is switched on... as well. #ipfwadm -F -a masquerade -W ppp0 -S 192.168.100.0/24 -D 0/0 #========================[ Rejecting Forwarding here ]=====================# #Here is a example of rejecting access to a ip address from local network to wherever #note that rejecting using forwarding firewall or outgoing firewall has more overhead #but IMHO it never hurts to have redundancy on denies as this can cover for some errors. #there is more overhead as there are more steps involved in processing the logic. ipfwadm -F -a reject -W ppp0 -S 192.168.100.0/24 -D bad_ip -o #==========================[ Forwarding DNS traffic ]=====================# #here is the forwarding of DNS forwarding to your network... consider split DNS. ipfwadm -F -a accept -b -P udp -S 0/0 53 -D 192.168.100.0/24 #========================[ Forwarding email outgoing ]=====================# #here is the forwarding from mail server outgoing to any SMTP server wherever outside. ipfwadm -F -a accept -b -P tcp -S 192.168.100.100/32 25 -D 0/0 1024:65535 #========================[ Forwarding email incoming ]=====================# #here is the forwarding from: email to: my mail server from anywhere. ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.100/32 25 #========================[ Forwarding http outerweb ]=====================# #Now that we have our DNS and Email going we are ready to get our webserver FWDing. ipfwadm -F -a accept -b -P tcp -S 192.168.100.0/24 80 -D 0/0 1024:65535 #=======================[ Forwarding http 2 innerweb ]=====================# #Now that we have our DNS and Email going we are ready to get our webserver FWDing. ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.150 80 #======================[ All FWard Denied+Logged ]======================# #here all IP forwarding that i have not explicitely accepted is denied and logged ipfwadm -F -a deny -S 0/0 -D 0/0 -o #==================[ Allow Incoming Ping from localnet ]=====================# #here all type '8' messages are allowed. This means 'echo request' to big I use of -V and -W #are interchangeable use. [I]ncoming to -V ip_address_trusted_internal__interface allowed ipfwadm -I -a accept -P icmp -V ip_address_trusted_internal_interface -S 192.168.100.0/24 8 -D 0/0 #==================[ Allow FWing Ping from localnet ]======================# #echo request is [F]orwarded as long as [S]ource address is wherever and destination wherever... #plus the type is set to '8' which is 'echo request' ipfwadm -F -a accept -P icmp -S 0/0 8 -D 0/0 #=============[ Allow Outgoing Ping from external interface ]===================# #allow echo request from -V external interface to come or go from anywhere but log it. ipfwadm -O -a accept -P icmp -V ip _address_of_external_perimeter_interface -S 0/0 8 -D 0/0 -o #================[ Allow Incoming Ping Reply from Net ]====================# #here all type '0' messages are allowed. This means 'echo reply' from big I use of -V and -W #are interchangeable use. [I]ncoming to -V ip_address_untrusted_external__interface allowed #A slightly more granular way to look @ this is 'echo reply' from anywhere to anywhere allowed ipfwadm -I -a accept -P icmp -V ip_address_untrusted_external_interface -S 0/0 0 -D 0/0 #======================[ Allow FWing Ping reply ]=======================# #echo reply is [F]orwarded as long as [S]ource address is anywhere and [D]estination is wherever... ipfwadm -F -a accept -P icmp -S 0/0 0 -D 0/0 #==============[ Allow Incoming Ping reply from external interface ]==============# #allow 'echo reply' originating from -V trusted_internal_interface with a [S]ource from anywhere to #a [D]estination of internal network with message type 0 set and log it. ipfwadm -O -a accept -P icmp -V ip _address_of_internal_trusted_interface -S 0/0 0 -D 192.168.100.0/24 -o #=========================[ Bits and Bytes ]==========================# #The above icmp example is by no means definative and should be used as a model only. It is #Important to realize that icmp does not depend on ports or ACK bits to set. Rather it uses #a series of message types that are as follows... i hope it helps you. Probably the best way #to do this is to add one type until you fully understand the ramifications of rules for icmp. #Message Type = 0 description = 'Echo Reply' which is the reponse to a Echo Request. (PING) #Message Type = 3 description = 'Destination Unreachable' can be used against you so best that you #consider allowing incoming from external interface to your network but deny it outbound if possible. #Message Type = 4 description = 'Source Quench' used to tell you or others that the conversation too fast #slow down! This is something you will probably wish to allow both ways when talking icmp. #Message Type =5 description = 'Redirect' used for redirecting routes. Best not allowed on #firewalls period. If you insist don't allow type '5' inbound traffic flowing into your network. #Message Type = 8 description = 'Echo Request' this is created by ping and should be allowed. (PING) #Message Type = 11 description = 'TTL Exceeded' used to signal that packet lifetime has expired either #outbound or inbound. Should be ok to allow in both directions. #Message Type = 12 description = 'Parameter Problem' should be allowed as signals a packet header problem. #Well i hope that this has been some help. If you find this information useful please #share the information. Remember to only allow those services you need to have running exclusively. ############################################################################ Chapter 5 ===================================================================================== Beginning of Chapter 5 5. Problems Contents of this section If you don't find your problem listed below, please submit a bug report to webmaster@xos.nl giving full details of Version number of ipfwadm and (if different) os version number. What you expected ipfwadm to do What ipfwadm did specifically (including all error messages) The system you use The compiler you used, plus any compilation flags 5.1 Are there known compiling problems with ipfwadm? Yes there is the possibility that you will need to add a small line. Check ipfwadm.c and add '#include prior to linux/ip_fw.h' 5.2 Does glibc2 cause problems? ipfwadm will not compile using glibc2 but has been fixed in *.RPMS and AFAIK there are stable. The binaries supplied on the redhat cd are just fine. 5.3 Are there any problems with transparent proxy? Yes use a kernel of the 2.0.x series of a version of at least 2.0.31 with these problems occuring apparently when one attempts to redirect destination ports using ipfwadm to change the destination port number. But this will occur only if you are using the advanced features. Chapter 6 ===================================================================================== Beginning of Chapter 6 6. Miscellaneous Contents of this section 6.1 What known security bugs exist in which versions of ipfwadm? There are no know problems with ipfwadm that are a direct result of the program. However the construction of the rules are very important or you can quite easily have a security problem occur. 6.2 How widespread is use of ipfwadm? No idea but it would be a large number as it is included in the redhat distribution as well as available for all Linux flavours as well as FreeBSD. It provides with knowledge a GNU GPL solution more valuable and flexible due to underlying os than several commercial firewall solutions costing thousands of dollars. This is much to the credit to the author of ipfwadm as well as the Linux development process itself. When combined with fwtk it is a very robust solution indeed that pretty much covers all the basic issues that are important to close off in a firewalling solution. 6.4 Credits Most of the credit, of course, goes to Jos Vos for writing ipfwadm and making it available to the public. Also i would like to thank my associates on the Internet for all their kind words and support that has culminated in the ability to return; again to the Internet for the benefit of others. - dreamwvr@dreamwvr.com EOF > IPFWADM FAQ =============================================================================