The entries in hosts.allow (and hosts.deny) represent source addresses, not interfaces (destination addresses, effectively) on the host itself. The one for the LAN works because all LAN hosts have addresses in the 192.168.1.0/24 range.
But not all Internet hosts have addresss in the 200.200.200.200/24 range. If the host you are trying to connect *from* has an IP address outside that range, then this entry will not permit you to connect (and probably some other entry will block the connection, but that part is not in what you report here).
OTOH, perhaps the *remote* address you are trying to connect from is 200.200.200.200. (But in this case, I cannot make any sense of your nmap test, so I think it unlikely.) Then the hosts.allow entry you wrote should be correct (assuming sh-httpd is the actual daemon name as it appears in inetd.conf, something Jeff told you to check in an earlier reply) and you need to consider other possible sources of the problem.
For example, you mention that the Bering router is on a pppoe connection. Some ISPs block incoming traffic to port 80 on their low-price residential services; might yours be one of them? Or might you have made a mistake with the "shorewall clear" command? In this case, we may need to see (or, at least, you may need to review) a complete configuration report as described in the SR FAQ.
A couple of additional comments are below.
If you post again, you might benefit from stopping this hokum of substituting fake IP addresses and letting us see what you are really doing (and how it really fails). Whenever you change something, you run the risk of hiding the key clue to your problem ... it's usually best if you *only* conceal passwords, and even then be very clear that you are doing so.
BTW, the LEAF security model really is not designed to let the Weblet be accessable from off-LAN. I feel obliged to caution you, at least is passing, that what you are trying to do is probably a bad idea.
At 03:33 PM 5/29/2003 -0300, [EMAIL PROTECTED] wrote:
Thanks so far, but I think I have done all and still couldn't connet.
1) I tryed with shorewall clear and still have the sintome.
2) from the internal net it works, so sh-httpd is executed by inetd
3) I realy do not know what to put in host.allow and host.deny
Supose extIP=200.200.200.200/24, I thought
ALL: 192.168.1.
sh-httpd:200.200.200.0/255.255.255.0
should work, and since my revers isn't publick I thought that I
should comment the PARANOID entry from host.deny
4) I still can't connect to port 80. It seams that the poort isn't open
I tryed nmap -sT 200.200.200.200 -p 80 and it doesn't show up as open
What is the result nmap reports?
5) I can connect thru ssh from 200.200.200.200 to this Bering1.2 router, so my path/routing are correct
6) It seams for me that inetd (www) is listening only on eth1, and not on ppp0 (PPPoE over eth0), but couldn't find while.
Why does it "seem" that way? inetd itself knows nothing about interfaces; it does not listen selectively.
Can I check after connecting in the router if inetd is listening on the ppp0-IP at port 80?
The usual way to do this is with "netstat -ln", but I'm told that this netstat option is not implemented on Bering (is this really true?). If you have a telnet app on the router itself, you could try "telnet ext.er.nal.IPaddr 80" and see if you get a response.
Thanks,[old stuff deleted]
Alex
------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
