Hi Doug, hi all <snip>
>When I scan all ports on my router's external interface, it doesn't >show port 8080 >as being open. Why is that? Is it because it is >above port 1024? I am not quite >familiar with how ports are used on >a private/public network so I'm quite sure I'm >missing something >here. Does this have to do with the hosts.allow configuration? No, it doesn't have to do anything with hosts.allow at all. This is absolutely normal that you don't see forwarded ports as open ports if scanning from the internal network. This is because the portfw code in any Unix/Linux is not able to forward ports if there is no routing. If a packet with dest. port 8080 arrives at the FW intern IF, it will not be routed so portfw rules are not active for these packets. This is also the reason why most people add a DMZ interface to the FW to force routing. Now it's possible to access the webserver with the same URL from internal and external network. Now, the webserver IS on a different interface for both, internal and external network. Every packet which belongs to the webserver will be routed and portfw rules are active. >As a side note, I noticed that the default network.conf exposes udp >port 53(domain) >to the public network. Also for tcp port 1023. Are >these necessary? Matt wrote that these are neccessary for DHCP leases. (or did I understand something wrong?). I'd say: They're not! DHCP is UDP 68 and this is opened by default. I see that you removed the 0/0_bootpc from EXTERN_UDP_PORTS. You should ONLY do that if you have a static extern IP! Ok, but why are these other two there? 53: Charles and a lot of other people are running a DNS server. Those people who aren't running a DNS server are usually running "dnscache" as a DNS forwarder. Because dnscache is very secure and people running a full DNS server needs port 53 anyway, Charles left it open. When I first noticed this port 53 I asked myself the same question. I first thought that even dnscache needs the DNS port open (even it does not resolve anything for the outside world). I tried to close port 53 what does my eyes see: dnscache works without port 53 opened. (which seems to be logical). You may close UDP 53. It's not neccessary. 1023: This is opened by default because Charles uses the bandwith monitor from Martin Hejl (the local java applet) to monitor multiple Dachsteins boxes. On port 1023, there is a small shell script running which sends interface statistics. You may have a look at this: telnet [dachstein IP] 1023 I'm not sure about how secure shell scripts are (buffer overflows?), but if you're not goint to monitor your box remotely via the java applet, you may remove port 1023. To your main question: Your config (as other people wrote already) is ok. I can't see any mistakes. The only mistakes I can think of would be: 1. Your webserver is not listening on 8080 2. To try it out, you always used the following URL: http://[external or internal IP of your FW]:8080 relating to my comments above about the portfw code, this will never work from inside! You have to try it from outside (via www.anonymizer.com from internal or at work) At this moment, I can't figure out another possible point. _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
