From tswoyer at speakeasy.net Tue Mar 11 09:09:25 2003 From: tswoyer at speakeasy.net (Ted Swoyer) Date: Tue, 11 Mar 2003 12:09:25 -0500 Subject: [NARC] Couple of Questions Message-ID: <003e01c2e7f0$f85ac220$0801a8c0@pw5000> I have used NARC for a while in a simple network environment and it has worked quite well (thank you). Now my network is evolving past my simple setup and I have a couple of questions: In narc.conf, there are three places where control of server services are specified: ALLOW_TCP_EXT ALLOW_UDP_EXT ALLOW_TCP_EXT_RANGE ALLOW_UDP_EXT_RANGE ALLOW_TCP_LAN ALLOW_UDP_LAN ALLOW_TCP_LAN_RANGE ALLOW_UDP_LAN_RANGE ALLOW_TCP_DMZ ALLOW_UDP_DMZ ALLOW_TCP_DMZ_RANGE ALLOW_UDP_DMZ_RANGE I am not clear on what these are used for. The comments lead me to believe that these are for services that are actually running on the firewall box and being offered to the LAN and DMZ and not for services being offered on the LAN or on the DMZ to the outside world (or each other). Is this correct? If my DMZ offers services to my LAN (dns, web, e-mail), do I have to assign ...LAN variables the service names or ports? Thank you, Ted From shane at knowplace.org Wed Mar 12 00:39:40 2003 From: shane at knowplace.org (Shane Chen) Date: Wed, 12 Mar 2003 00:39:40 -0800 Subject: [NARC] Couple of Questions References: <003e01c2e7f0$f85ac220$0801a8c0@pw5000> Message-ID: <004001c2e872$ec63e280$3264a8c0@frankenbox> Hi Ted, ----- Original Message ----- From: "Ted Swoyer" > I am not clear on what these are used for. The comments lead me to believe > that these are for services that are actually running on the firewall box > and being offered to the LAN and DMZ and not for services being offered on > the LAN or on the DMZ to the outside world (or each other). Is this correct? Yes. The firewall rules are always from the perspective of the machine that it's installed on, not from your network topology. So what you're doing is protecting the host (the machine actually running NARC) itself. The clients behind it may benefit depending the filtering rules, but primarily it's to secure the host (which sometimes may be a "firewall"). > If my DMZ offers services to my LAN (dns, web, e-mail), do I have to assign > ...LAN variables the service names or ports? You need to enable FORWARD_LAN_TO_DMZ if you just want to accept all traffic from the LAN to your DMZ. If you want to have tighter control of the LAN traffic being forward to your DMZ, you'll have to write custom forwarding rules via the narc-custom.conf. Once your network gets a bit more complicated, you'll have to write some custom rules (impossible to guess the network topology). I often install NARC to just get the basic framework up and finish it by adding a few customized rules. Hope that helps, Shane From colin at colina.demon.co.uk Tue Mar 18 02:28:06 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 18 Mar 2003 10:28:06 +0000 Subject: [NARC] NARC and CIPE Message-ID: How would narc and CIPE fit together. If I want to connect my workstation (which is protected by a barrier firewall machine, running narc) to a VPN using CIPE, would I have to install CIPE on the firewall machine or on the workstation? -- Colin Paul Adams Preston Lancashire From bbennion at u.washington.edu Tue Mar 18 06:58:25 2003 From: bbennion at u.washington.edu (B. Bennion) Date: Tue, 18 Mar 2003 06:58:25 -0800 (PST) Subject: [NARC] NARC and CIPE In-Reply-To: Message-ID: Hello Colin, On our setup we have cipe and the firewall on the same machine. You could install cipe on either machine but it sometimes is easier to keep both things on on machine. If you have control over the firewire it makes more sense and troubleshooting any config problem would be easier if just one machine was used. Brian On 18 Mar 2003, Colin Paul Adams wrote: > Date: 18 Mar 2003 10:28:06 +0000 > From: Colin Paul Adams > To: narc at knowplace.org > Subject: [NARC] NARC and CIPE > > How would narc and CIPE fit together. If I want to connect my > workstation (which is protected by a barrier firewall machine, running > narc) to a VPN using CIPE, would I have to install CIPE on the > firewall machine or on the workstation? > -- > Colin Paul Adams > Preston Lancashire > _______________________________________________ > NARC mailing list > NARC at knowplace.org > http://www.knowplace.org/mailman/listinfo/narc > Graduate Research Assistant Dep. Medicinal Chemistry, University of Washington Tel# (206)616-2779 BOX 357610 Seattle WA 98195 email--bbennion at u.washington.edu web page--http://students.washington.edu/bbennion From colin at colina.demon.co.uk Tue Mar 18 07:39:20 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 18 Mar 2003 15:39:20 +0000 Subject: [NARC] NARC and CIPE In-Reply-To: References: Message-ID: >>>>> "Brian" == B Bennion writes: Brian> Hello Colin, On our setup we have cipe and the firewall on Brian> the same machine. You could install cipe on either machine Brian> but it sometimes is easier to keep both things on on Brian> machine. If you have control over the firewire it makes Brian> more sense and troubleshooting any config problem would be Brian> easier if just one machine was used. But I specifically want to avoid installing it on the firewall machine if I can, as I don't want to attempt upgrading it to Redhat 8.0 (apart from having to take a day out to do it, I might not have enough disk space!). So I'm glad to hear it can be installed on either machine. I assume I shall have to get narc to pass the CIPE datagrams through to my lan? I can't see a cipe name in /etc/services. Or have I misunderstood how it works? -- Colin Paul Adams Preston Lancashire From colin at colina.demon.co.uk Fri Mar 21 03:27:21 2003 From: colin at colina.demon.co.uk (Colin Paul Adams) Date: 21 Mar 2003 11:27:21 +0000 Subject: [NARC] Web server on LAN or DMZ Message-ID: What configuration statements do I need to add to allow outside access to my webserver running on my ethernet lan (or dmz - it's the same thing for me, as I only have the one ethernet)? -- Colin Paul Adams Preston Lancashire