<still at home> I read breifly over that part of the range of port addresses and made a modification or two. I changed the range and opened 100 udp ports starting at 1494-1594. Wiped out all the changes I had made, and ultimately started from scratch. A combination of the ipchains ACCEPT and an ipmasq rule that was given to me, and the various additions in the network.conf file, and a small matter of sheer luck, and <BAM> it worked. I finally got exactly the result I wanted. Now all I'll need to do is change the IP address to the machine that will really need this access. I still need to get proficient with the IP masq and chains so that I can turn it off when I don't want him messing around with my citrix server.
I really appreciate everyone's help this evening, and I'll try to get a clearer picture of the changes/additions I made posted to the list to be informative to others.. going to bed know.. been an extremly long day... thanks again... joey On 15 Aug 2002 19:11:34 -0700 Stephen Lee <[EMAIL PROTECTED]> wrote: > On Thu, 2002-08-15 at 18:59, [EMAIL PROTECTED] > wrote: > > <at home> > > > > I read the same article on citrix's website, and it did > > occur that I might need to open multiple ports, > although i > > don't know how to open a range... > > > > Second, the citrix ica client only gives an error > saying > > <basically> a citrix connection could not be made, > nothing > > relevant to any debugging. > > > > I am able to do the same thing within the IPSec > gateway, > > which is fine for what I really want (just people > behind > > the leaf boxes I setup). I am just stuck with this > > situation with the vendor of a software that we are > about > > to start using. I'll need to leave an opening up so > that > > they can get to it when an error occurs with their > > software. Kind of lost, this is my first attempt at > port > > forwarding. I think the basic part (forwarding) > appears to > > be working, as is apparent the the telnet results. > There > > may be more to it on the UDP side. I'll have to > contact > > citrix tomorrow I guess... > > > > thanks for the assistance, I'm,unfortunately, still not > > where I want to be, but perhaps tomorrow will be a > better > > day. if you have any other thoughts, I'll still be > working > > on this... Thanks again for all your help... > > > > joey > > Have a look at the INTERN_AUTOFW0 variable. There should > be an example > within the config file: > #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1" > > Where 20000 to 20050 is the range of ports. > > It's been awhile since I used this feature so you will > have to ask the > list for more help. > > Really gone for dinner this time. > > Stephen > > > > On 15 Aug 2002 18:35:33 -0700 > > Stephen Lee <[EMAIL PROTECTED]> wrote: > > > A bunch of ideas or questions: > > > > > > Any more UDP denied messages? This is suppose to be > > > simple - portforward > > > 1494 to 192.168.1.202! Try rebooting the firewall I > > > guess. > > > > > > I don't know Citrix but are you sure the client is > setup > > > correctly and > > > what kind of error messages does it put out (if any)? > > > > > > I found this on the citrix website: > > > > > > The initial synchronization between the WinFrame > client > > > and the > > > WinFrame server occurs over port 1494, but the actual > > > WinFrame session > > > occurs over a dynamically allocated port. For this > > > reason, it might be > > > necessary to allow connections over a range of TCP/IP > > > ports through the > > > given firewall. If required, these connections should > be > > > allowed only > > > between the client and the server. > > > > > > That means you might have to open a bunch of ports > above > > > 1494. > > > > > > Gone for dinner. Good luck. > > > > > > Stephen > > > > > > On Thu, 2002-08-15 at 18:19, Joey Officer wrote: > > > > Did that, no change... > > > > > > > > Joey > > > > > > > > > > > > -----Original Message----- > > > > From: Stephen Lee [mailto:[EMAIL PROTECTED]] > > > > Sent: Thursday, August 15, 2002 8:19 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: RE: [leaf-user] allowing internal > connections > > > w/o IPSec > > > > > > > > On Thu, 2002-08-15 at 18:03, Joey Officer wrote: > > > > > I checked my logs, and found that protocol 17 is > > > being denied, which is > > > > UDP, > > > > > so I am opening that in an attempt. Nothing else > > > looks relevant... > > > > > > > > > > Joey > > > > > > > > According to the Citrix website you need UDP > opened. > > > > > > > > http://www.citrix.com/support/solution/SOL00053.HTM > > > > > > > > Stephen > > > > > > > > > > > -- > > > [EMAIL PROTECTED] > > > www.spl-linux.com > > > > > > > > -- > [EMAIL PROTECTED] > www.spl-linux.com > ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
