I'm not that familiar with Echowall, but I can help with the ssh bit: > In addition, I don't see the wisdom in this: > > # -- For SSH'ing out from firewall, allow responses from SSH servers. > # -- Configure firewall's SSH client to use 823 to 1023 port range. > $IPCHAINS -A input -s 0/0 22 -d $IP_EXT/32 823:1023 ! -y -p tcp -j ACCEPT > > Those are weird ports and other firewalls certainly don't expect client > traffic to emerge from 823-1023. Would you explain that a bit? Thx. > > You also recommend changing the ssh client config. Is it right to ask people > to change there servers and clients to fit the firewall? Indeed you've worked > very hard to make services available on the ports they normally run, as > evidenced by all the portfw services echowall supports. So I'm confused.
When you run ssh on a *nix box, it will default to using a "low" port to make the connection unless you specify a command line switch (which is different for ssh, scp, and varies from one ssh implementation to anoteher). This can cause lots of confusing side-effects when trying to go through firewalls. I typically setup my ssh config so sessions originating from my machines use a high port for outbound traffic...I'm fairly sure this is what's being referred to about changing the ssh client config. As for the rule allowing non-syn packets from port 22 to the 823:1023 port range, if you don't do this, ssh won't work without the command line switch or the config file edit. This can be quite confusing if you don't know what's going on, as typically everything except ssh will work normally. Of course, a lot of times source ports <1024 are blocked by the remote firewall as well (increasing confusion), which is why setting ssh up to use a high port by default is often the easiest/cleanest overall solution. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
