subject:"\[Cooker\-firewall\] Ports Forward and Proxy Problems"

RE: [Cooker-firewall] Ports Forward and Proxy Problems

2001-11-23 Thread Gael Martin


Sorry to be pain in the arse but this still doesn't work.
I've open port 20 and 21 (TCP) and forward this to anoter mandrake box with
proFTPd (IP 192.168.0.251) to set FTP in active mode.
I've also open 80 and forward it to another machine with apache (IP
192.168.0.23) this works fine and doesn't affect the proxy.
But as soon as I open port 21 the internet connection is broken. Altough I
can see in /var/squid/log/access.log that people are trying to connect but
they can't get anywhere.
Basically the browser says Web page found... but just doesn't display it.
after a long while it eventually time out. All the other things seems to
work (FTP, POP, etc... just HTTP is broken).
I can open other ports and the thing just works fine but not port 21.
I've attached my config (the one you get by doing backup) if that help. 
Even if the actual service i.e. proFTPd is not running or the machine is not
powerup the proxy refuse to display the pages if I've got port 21 open, so I
don't think is something to do with proFTPd.
Also I was trying to change apache port on the second machine (192.168.0.23)
to use 81 instead and then open port 81 on SNF but this wouldn't work either
(I've tried 8080, 79, and other numbers but it seems to me that I can only
reach my internal web server from outside if it is setup on port 80 (I've
tried to access locally using port 81 and this worked fine). That's a shame
since I'd like to be able to open several web servers.

BTW: when you say open all high ports what do you actually mean? have I got
to manually open all ports above 1024?

Thanks

Gael





 Hello there,
 
 here are two points of view for the ftp connections with a firewall:
 
- open tcp ports 21 (control) *and* 20 (data) in 
 incoming traffic on the 
firewall to allow active ftp from the clients
- open tcp port 21 and all high ports ( 1024) on the 
 firewall to allow 
passive clients
 
 I have set here squid in transparent mode and the I did a 
 port forwarding
 of ftp to some internal ftp server using proftpd.
 
 with ncftp or lftp lftp clients, connect and then type : set 
 passive off
 (ncftp), or set ftp:passive-mode off and then you will be 
 able to connect ...
 
 squid and ftp port-forwarding work together ...
 



SystemName=firewall
DomainName=dummyDomain.com
DNSPrimaryIP=62.128.xxx.xxx
DNSSecondaryIP=
AdminInterface=eth0
FullAdminName=admin
ChangeAdminPasswd='set: change-password.pl'
CurrentMirror=ftp://ftp.stealth.net/pub/mirrors/ftp.mandrake.com/Mandrake/updates
PackagesList=squid
OfficialList='get: mirrors.pl'
PackagesToUpdate='get: packages_to_update.pl'
PackagesToDownload='get: download_packages.pl'
PackagesToInstall='get: rpm-install.pl'
PackageDescription='get: show_description.pl'
DHCPClient=dhcp-client
DHCPServer=off
DHCPInterface=eth0
DHCPServerEnd=254
DHCPServerStart=65
DHCP_LEASE_DEFAULT=21600
DHCP_LEASE_MAX=43200
DNS_SERVER_DYN_UPDATE=Y
DNS_UPDATER_SECRET=Y
SYSLOGLocal=yes
SYSLOGTargetServer=
SYSLOGTargetServerLevel=
SYSLOGTty=tty12
SYSLOGTtyLevel=alert
PreludeState=off
SnortState=off
SnortLogs='get: snortsnarf.sh'
MessagesLogs='get: logs.pl'
DynDnsAccount=dnsaccount
DynDnsPassword=dnspassword
DynDnsService=off
DNSServer=off
TimeZoneList='get: timezone.pl tzlist'
Zone=GMT
ChangeDate='set: date.pl $md5 '
NTPServer=
ServicesList='get: services.pl list'
ServiceStatus='get: services.pl status'
ServiceRestart='set: services.pl restart'
ServiceReload='set: services.pl reload'
ServiceStart='set: services.pl start'
ServiceStop='set: services.pl stop'
ServiceRemove='set: services.pl remove'
ServiceAdd='set: services.pl add'
SquidServer=transparent
SquidParents=N
SquidPort=3328
SquidCacheDir=/var/spool/squid
SquidCacheSize=100
SquidWarningMesage=A HREF=mailto:[EMAIL PROTECTED]Mail to Admin/A
SquidWarningMesagePosition=Bottom
[EMAIL PROTECTED]
SquidRedirector=squidGuard
SquidAnonymizer=Y
SquidGuardAddPrivilegedIp='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/privilegedsource/ips -a '
SquidGuardDeletePrivilegedIp='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/privilegedsource/ips -d'
SquidGuardPrivilegedIpsList='get: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/privilegedsource/ips -l'
SquidGuardAddBannedIp='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/bannedsource/ips -a '
SquidGuardDeleteBannedIp='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/bannedsource/ips -d'
SquidGuardBannedIpsList='get: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/bannedsource/ips -l'
SquidGuardAddLansourceNetworkMask='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/lansource/lan -a '
SquidGuardDeleteLansourceNetworkMask='set: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/lansource/lan -d'
SquidGuardLansourceNetworkMasksList='get: squidGuard_manage.pl $md5 
/usr/share/squidGuard-1.1.4/db/lansource/lan -l'
SquidGuardAddBanneddestinationUrl='set: squidGuard_manage.pl $md5

Re: [Cooker-firewall] Ports Forward and Proxy Problems

2001-11-23 Thread Paul Smith



Old version of SNF? Is there a new one I have somehow missed?

---
Paul W. Smith
Network Operations Analyst
MCP, CLA, CRA, BCCA
Enterprise Services
Metafore
T: 416-778-1300 x7366
F: 416-778-8917
[EMAIL PROTECTED]
http://www.metafore.ca
Anywhere, anytime. 360 degrees by 365 days.



|+-
||  Florin |
||  florin@mandrak|
||  esoft.com |
||  Sent by:   |
||  florin@mandrake|
||  soft.com   |
|| |
|| |
||  11/23/2001 |
||  09:02 AM   |
||  Please respond |
||  to |
||  cooker-firewall|
|| |
|+-
  
--|
  |
  |
  |  To: [EMAIL PROTECTED]  
  |
  |  cc: [EMAIL PROTECTED] 
  |
  |  Subject: Re: [Cooker-firewall] Ports Forward and Proxy Problems   
  |
  
--|




Gael Martin [EMAIL PROTECTED] writes:

 Hi
 Well here it doesn't.
 All I've done is go to add port 21 and 80 and forward it to the
respective
 machine. But as soon as I put 21 it just blocks the HTTP traffic. The
 browser says, Web Site found. Waiting for reply and stay like that for
 ever.
 It seems that the packet don't get to the internal machine when port 21
is
 open. Now if I open 22 instead it works but not the FTP though.
 I'm sending you screen shots of the 3 tabs so you can tell me if I'm
doing
 anything wrong.

 Gael

Hello there,

I have just installed the old version of the snf and you are absolutely
right, there is a problem with squid and ftp port-forwarding ... I'll have
a look again and try to find the bug ...

Thank you ... I have never seen this before.

I have received your screenshots and everything seems fine.

cheers,
--
Florin  http://www.mandrakesoft.com

Re: [Cooker-firewall] Ports Forward and Proxy Problems

2001-11-23 Thread Denis HAVLIK


On Fri, 23 Nov 2001, Paul Smith wrote:

+ Old version of SNF? Is there a new one I have somehow missed?

Florin is working on a new version.

RE: [Cooker-firewall] Ports Forward and Proxy Problems

2001-11-23 Thread Ingo Bauer


Hi Florin . :)

Are there any .iso's on any of the cooker's ?

Ingo

-Original Message-
From: Florin [mailto:[EMAIL PROTECTED]]
Sent: Friday, November 23, 2001 10:32 AM
To: [EMAIL PROTECTED]
Subject: Re: [Cooker-firewall] Ports Forward and Proxy Problems


Paul Smith [EMAIL PROTECTED] writes:

 Old version of SNF? Is there a new one I have somehow missed?
 

N E W V E R S I O NO NC O O K E R   yes  it's been a week
already.

there is already a new working 2.4 kernel version on cooker. Simply take the
snf
package, a virtual package that will require everything you need.

cheers,
-- 
Florin  http://www.mandrakesoft.com

[Cooker-firewall] Ports Forward and Proxy Problems

2001-11-22 Thread Gael Martin


Hi All.
I've got an LAN connection to the internet (ADSL) plug into my SNF and on
the other end my internal network. I've set up the transparent proxy server
so that all request to port 80 from internal network are redirected to port
3228 of squid. Everything was just working fine until I decided to make one
of my internal machine available outside the internal network. I've set up
my internal FTP server and then went on SNF (Restrict Access/Internet
Traffic) to add the FTP port to the list of public traffic allowed and then
put the IP address of my internal machine 10.0.0.23 into the forward to
internal host box. Give the FTP connection details to some guys outside the
internal network, he connected OK to the FTP machine downloaded and uploaded
OK, fantastic. But half an hour later some guys from the internal network
came to me saying We can't connect to the internet anymore. I've looked
for ages until I finally found that as soon as I removed the FTP port
forwarding in SNF it works again. So I can't have the proxy server and port
forwarding working at the same time which is really annoying.
What am I doing wrong?
If someone could give a workaround on this one I'll be very glad.
BTW : I've tried with manual proxy with and without auth and it still don't
work.
It seems to me that it's only the http packet that get lost somewhere
because I can still use ftp or pop when I turned port forwarding ON.
Gael

Re: [Cooker-firewall] Ports Forward and Proxy Problems

2001-11-22 Thread Florin


Gael Martin [EMAIL PROTECTED] writes:

 Hi All.
 I've got an LAN connection to the internet (ADSL) plug into my SNF and on
 the other end my internal network. I've set up the transparent proxy server
 so that all request to port 80 from internal network are redirected to port
 3228 of squid. Everything was just working fine until I decided to make one
 of my internal machine available outside the internal network. I've set up
 my internal FTP server and then went on SNF (Restrict Access/Internet
 Traffic) to add the FTP port to the list of public traffic allowed and then
 put the IP address of my internal machine 10.0.0.23 into the forward to
 internal host box. Give the FTP connection details to some guys outside the
 internal network, he connected OK to the FTP machine downloaded and uploaded
 OK, fantastic. But half an hour later some guys from the internal network
 came to me saying We can't connect to the internet anymore. I've looked
 for ages until I finally found that as soon as I removed the FTP port
 forwarding in SNF it works again. So I can't have the proxy server and port
 forwarding working at the same time which is really annoying.
 What am I doing wrong?
 If someone could give a workaround on this one I'll be very glad.
 BTW : I've tried with manual proxy with and without auth and it still don't
 work.
 It seems to me that it's only the http packet that get lost somewhere
 because I can still use ftp or pop when I turned port forwarding ON.
 Gael
 
 
 

Hello there,

here are two points of view for the ftp connections with a firewall:

   - open tcp ports 21 (control) *and* 20 (data) in incoming traffic on the 
   firewall to allow active ftp from the clients
   - open tcp port 21 and all high ports ( 1024) on the firewall to allow 
   passive clients

I have set here squid in transparent mode and the I did a port forwarding
of ftp to some internal ftp server using proftpd.

with ncftp or lftp lftp clients, connect and then type : set passive off
(ncftp), or set ftp:passive-mode off and then you will be able to connect ...

squid and ftp port-forwarding work together ...

-- 
Florin  http://www.mandrakesoft.com

RE: [Cooker-firewall] Ports Forward and Proxy Problems

Re: [Cooker-firewall] Ports Forward and Proxy Problems

Re: [Cooker-firewall] Ports Forward and Proxy Problems

RE: [Cooker-firewall] Ports Forward and Proxy Problems

[Cooker-firewall] Ports Forward and Proxy Problems

Re: [Cooker-firewall] Ports Forward and Proxy Problems

6 matches

Site Navigation

Mail list logo

Footer information