Re: [leaf-user] Hi! Newbie Bering user with a few questions. :)

Fri, 17 Jan 2003 06:42:22 -0800



--On Friday, January 17, 2003 8:56 AM +0000 James Neave <[EMAIL PROTECTED]> wrote:

Hi there,

I've recently had a cable modem installed at my house, shared between 3
users.
I've got it all working nicely with the default policies of

Net loc REJECT

The default as shipped is actually "net loc DROP".


Loc net ACCEPT

And I have added the following rules to allow my pc (192.168.1.1) to use
Direct Connect in Active mode behind the firewall.

ACCEPT	net        loc:192.168.1.1:412     tcp
ACCEPT 	net        loc:192.168.1.1:412     udp
DNAT  	net        loc:192.168.1.1:412     tcp
DNAT   	net        loc:192.168.1.1:412     udp

It works fine, but is this the correct way of doing this?

No -- you want:

DNAT  	net        loc:192.168.1.1     tcp	412
DNAT   	net        loc:192.168.1.1     udp	412


And is it fairly secure?

Once you have changed your rules as recommended above, yes.


Will I have to use 2 other different ports on the firewalls external
interface, e.g., 413 and 414, to enable this on the other two machines
in the house?

Yes: e.g.,

DNAT  	net        loc:192.168.1.2:412     tcp	413
DNAT   	net        loc:192.168.1.2:412     udp	413


Is there any way to just say OPEN PORT 412?

Not with only one external IP address.


Next question..

MSN Messanger file sharing and H323

I have to open a range of ports for MSNM's file sharing. Do I have to
ACCEPT  and DNAT all of these ports for all of the 3 machines (using 3
different ranges)?

I have glanced at the "Netfilter helper modules", but these just confuse
the hell out of me, I'm afraid my Linux knowledge is very limited.
Someone else will have to answer this -- I avoid both H.323 and MSN IM like the plague (except H.323 through VPN which works nicely).

-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: teastep \ http://shorewall.sf.net
ICQ: #60745924 \ [EMAIL PROTECTED]


-------------------------------------------------------
This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to