On Sunday 19 Jan 2003 5:43 pm, [EMAIL PROTECTED] wrote: > This is my rules for shorewall.
> # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # # PORT PORT(S) DEST > # DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69 > ########################################################################### >### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # PORT PORT(S) DEST > ACCEPT net fw udp 53,631 - > ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,631 - > ACCEPT masq fw udp 53,631 - > ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,631 - > ACCEPT loc fw udp 53,631 - > ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,631 - > ACCEPT masq fw tcp >domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT masq fw udp >domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw masq tcp 631,137,138,139 - > ACCEPT fw masq udp 631,137,138,139 - > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > is this correct > Bill Nash > With this file Samba (137,138,139) works from the firewall to the masqueraded local network, but not from the network to the firewall. The local masquraded network can access an http or https web server on the firewall. CUPS (631) works from the firewall to the local masqueraded network and vice versa. CUPS also works from the internet to the firewall. You most certainly do *not* want that. It is a security hole. You also have DNS (53) working from the net to the firewall. Again this is a security hole!! You have FTP (20,21 ), SSH (22) , and SMTP (25) open to the internet. This is OK, so long as you are running FTP, SSH, or SMTP (mail) servers, but is unnecessary if you are not. You have POP2 (109), POP3 (110) and IMAP (143) services open to the net. You should only do this if you retrieve your email from remote sites, and have adequate security systems in place. If not this is a security hole!! As a general rule the absolute minimum of ports should be open from 'net' to 'fw' There is good documentation on shorewall at www.shorewall.net derek > > On Sunday 19 Jan 2003 5:06 pm, Anne Wilson wrote: > >> On Sunday 19 Jan 2003 4:59 pm, [EMAIL PROTECTED] wrote: > >> > Hello, > >> > > >> > I just a hard drive crash with my server that was running Linux > >> > mandrake > >> > 8.1. I replace the hard drive and loaded Linux Mandrake 9.0. > >> > >> restore information from my backup and everything seem to be running > >> fine. I then try to setup internet connection. This is where i'm > >> having the problem at. Now i cannot get the server to see anything > >> on the local lan. The local lan can ssh into the server and serf > >> the internet and i'm able to get my email. I had samba set up before > >> i install the internet connection now i'm unable to connect via > >> samba or nfs. I change the firewall settings to allow everything > >> and this stop the lan from access the internet. is there something i > >> can do to correc this. > >> > >> I'm sure someone more expert will give you a full answer in an hour or > >> two, but just as a starter - I understand that there have been many > >> connection problems where the default firewall has been installed, > >> shorewall, I think it's called. If that is the case, you should > >> uninstall it and look for alternatives on your disks. > >> > >> As I said, a good deal more advice should follow this. Good luck. > >> > >> Anne > > > > The shorewall firewall in 9.0 is easier to set up by hand than with the > > GUI > > > > Just edit /etc/shorewall/rules read the examples, then edit the lines at > > the bottom which define which service names(or port numbers) are > > allowed to access from the local lan to the net or firewall > > (net- internet fw= the server itself masq= The local net with NAT) Other > > interesting files are /etc/shorewall/zones /etc/shorewall/policy > > > > After making edits > > service shorewall restart > > > > derek > > -- > > ---------------------------------- > > www.jennings.homelinux.net -- ---------------------------------- www.jennings.homelinux.net
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
