YES, THANKS, Now I remember that my PPPoE provider is blocking incoming connectins on port 80, so I will redirec some other From_ISP_open port like 8888 (where did I define PREROUTING REDIRECT/DNAT things in shorwall?).
And, I misstyped the nmap command. I whanted to represent my monitoring workstatin with 200.200.200.200, and not the IP of the router (that I checked with somthing like atIP200.200.200.200# nmap -sT ext.er.nal.IPaddr -p 80) But why does you feel that giving access from my monitoring workstation thru the weblet at the router isn't a good idea ? The router is far away from me and the people at the internal Net can't understand nothing what it shows. I though that the weblet is only showing informations and that it doesn't allow any change to the router. I also pretend only to allow this access after I get in with ssh and temporarly activate it for my remote supervision. Thanks again for your help Alex C�pia Ray Olszewski <[EMAIL PROTECTED]>: > As I read this, I am a bit confused about what your "200.200.200.200/24" > is > supposed to represent. I *think* it is the external IP address of the > Bering router you are trying to connect *to*. If that is right, then you > > can't use it in hosts.allow (not "host.allow", BTW) the way you are > trying to. > > The entries in hosts.allow (and hosts.deny) represent source addresses, > not > interfaces (destination addresses, effectively) on the host itself. The > one > for the LAN works because all LAN hosts have addresses in the > 192.168.1.0/24 range. > > But not all Internet hosts have addresss in the 200.200.200.200/24 > range. > If the host you are trying to connect *from* has an IP address outside > that > range, then this entry will not permit you to connect (and probably some > > other entry will block the connection, but that part is not in what you > > report here). > > OTOH, perhaps the *remote* address you are trying to connect from is > 200.200.200.200. (But in this case, I cannot make any sense of your nmap > > test, so I think it unlikely.) Then the hosts.allow entry you wrote > should > be correct (assuming sh-httpd is the actual daemon name as it appears in > > inetd.conf, something Jeff told you to check in an earlier reply) and > you > need to consider other possible sources of the problem. > > For example, you mention that the Bering router is on a pppoe > connection. > Some ISPs block incoming traffic to port 80 on their low-price > residential > services; might yours be one of them? Or might you have made a mistake > with > the "shorewall clear" command? In this case, we may need to see (or, at > > least, you may need to review) a complete configuration report as > described > in the SR FAQ. > > A couple of additional comments are below. > > If you post again, you might benefit from stopping this hokum of > substituting fake IP addresses and letting us see what you are really > doing > (and how it really fails). Whenever you change something, you run the > risk > of hiding the key clue to your problem ... it's usually best if you > *only* > conceal passwords, and even then be very clear that you are doing so. > > BTW, the LEAF security model really is not designed to let the Weblet be > > accessable from off-LAN. I feel obliged to caution you, at least is > passing, that what you are trying to do is probably a bad idea. > > At 03:33 PM 5/29/2003 -0300, [EMAIL PROTECTED] wrote: > >Thanks so far, but I think I have done all and still couldn't connet. > >1) I tryed with shorewall clear and still have the sintome. > >2) from the internal net it works, so sh-httpd is executed by inetd > >3) I realy do not know what to put in host.allow and host.deny > > Supose extIP=200.200.200.200/24, I thought > > ALL: 192.168.1. > > sh-httpd:200.200.200.0/255.255.255.0 > > should work, and since my revers isn't publick I thought that I > > should comment the PARANOID entry from host.deny > >4) I still can't connect to port 80. It seams that the poort isn't > open > > I tryed nmap -sT 200.200.200.200 -p 80 and it doesn't show up as > open > > What is the result nmap reports? > > >5) I can connect thru ssh from 200.200.200.200 to this Bering1.2 > router, so > > my path/routing are correct > > > >6) It seams for me that inetd (www) is listening only on eth1, and not > on > > ppp0 (PPPoE over eth0), but couldn't find while. > > Why does it "seem" that way? inetd itself knows nothing about > interfaces; > it does not listen selectively. > > >Can I check after connecting in the router if inetd is listening on > the > > ppp0-IP at port 80? > > The usual way to do this is with "netstat -ln", but I'm told that this > > netstat option is not implemented on Bering (is this really true?). If > you > have a telnet app on the router itself, you could try "telnet > ext.er.nal.IPaddr 80" and see if you get a response. > > >Thanks, > > > >Alex > [old stuff deleted] > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: eBay > Get office equipment for less on eBay! > http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
