Re: [leaf-user] simple? firewall port question - dachstein-1.0.2

[Michael Rogers]

--- Ray Olszewski [EMAIL PROTECTED] wrote:
 Without getting bogged down in too much detail -- I
 did some research on 
 your problem and I **think** it lies in the details
 of how ipchains does 
 NATing and port forwarding.
 
 This URL -- http://saturn5.hn.org/ps2.html --
 explains what you need to do 
 and how to do it on a BSD router. I can translate
 that for iptables, but 
 I'm too rusty on ipchains to do it there (or even to
 know for sure whether 
 it *can* be done). Perhap someone here who remembers
 the intricacies of 
 ipchains better than I can pick this up and provide
 the needed detail.
 
 The short version: the system needs a set of NATing
 rules that NAT LAN 
 sport 6000-6999, -AND- will ACCEPT unrelated traffic
 back to those ports. I 
 can believe that Linksys router do this ... they are
 way less paranoid than 
 LEAF routers. Standard ipchains port forwarding (I
 **think**) doesn't do 
 this because it does not reliably NAT connections
 *originating* from the 
 LAN host at (say) port 6000 to router external port
 6000 ... it only 
 port-forwards traffic originating to router external
 port 6000 correctly.
 

This makes sense, but I'm having trouble finding any
info on getting this translated to ipchains...  anyone
else have a clue how to do this???

Or, is there a way to just put my ps/2's IP only under
a DMZ without affecting my other pc's?

Michael Rogers


__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] simple? firewall port question - dachstein-1.0.2

[Michael Rogers]

--- Ray Olszewski [EMAIL PROTECTED] wrote:
 At 12:34 PM 12/29/2003 -0800, Michael Rogers wrote:
 I know this is probably simple and trivial, but I
 can't get it to work for the life of me...
 
 I use Dachstein-1.0.2 as a firewall for my windows
 machines behind my t-1.  The only thing they do is
 browse the internet and I ssh to my external
 servers,
 play some games at times.. normal stuff.  There are
 no
 servers behind the firewall that need to be opened
 to
 the outside world.
 
 My problem is I got a ps/2, with Socom-II and a
 Mic/Headset, got the ps2 online behind the firewall
 with no problems (I use static IP's for all my
 machines).  But I can't get the mic/headset to work
 online... it works in single player mode and online
 at
 my cousins house behind a linksys router, so I know
 the mic/headset is good.
 
 I've tried numerous times/diffirent options to
 opening
 up these ports for/to my ps/2  mic to work but
 with
 no luck.  Reading up, I believe the ports I need to
 open are:  tcp-10070 through 10080 and udp
 6000-6999
 and udp 10070.
 
 Can anyone help me out with a simple way to open
 these
 up for my ps/2...  my config IP's:
 Dachstein system: 192.168.1.254
 PS/2:  192.168.1.199
 
 It would be easier to help if you provided the
 standard disgnostics for 
 your system (see the SR FAQ). Without them, I'll
 offer a guess -- firewalls 
 of the vintage of Dach often blocked access to
 remote ports around 6000, 
 due to a well-known security hole involving remote X
 Window connections. My 
 *guess* is that the version of Dach you are using --
 or the drop-in 
 firewall, if you are using EchoWall or Seawall --
 includes that limitation, 
 and that's what is biting you. If so, there is some
 entry in 
 /etc/network.conf, or a related file -- or the
 config file for the drop-in 
 firewall -- that puts a DENY rule for these ports
 into one of the chains 
 (proably OUTPUT).
 
 Also, the phrase open up is meaningless in this
 context. Do you merely 
 mean that the firewall has to ACCEPT traffic to and
 from these ports, or 
 that it has to port-forward it to a specific IP
 address, or that it needs 
 some sort of special helper module (like ftp does),
 or what? Did your 
 cousin need to do anything special with the Linksys,
 for example ... that 
 would give a good hint of what the Dach firewall
 needs to be told.
 
 
 
Ok, sorry about that, I should have read that SR Faq
first, anyway I built this years ago, so don't exactly
remember what was all in it.  I uploaded the disk
image I used at:
http://www.tristateweb.com/dachstein-v1.0.2-1680.exe

If anyone wanted to get it to check.  Also (this may
do the trick) here is some of the standard diagnostic
as in the FAQ:

uname -a:  Linux firewall 2.2.19-3-LEAF #1 Sat Dec 1
12:15:05 CST 2001 i386 unknown

lsmod:  ones Im using are:  ip_masq_portfw,
ip_masq_mfw, ip_masq_ftp, ip_masq_autofw, ne2k-pci,
8390, pci-scan

ipchains -nvL: produced way to much to retype here,
but from the web interface/firewall rules I get:
Chain input (policy DENY: 0 packets, 0 bytes):
 pkts bytes target prot opttosa tosx  ifname  
  mark   outsize  source   
destination   ports
0 0 DENY   icmp l- 0xFF 0x00  *   
  0.0.0.0/00.0.0.0/0  
  5 -   *
0 0 DENY   icmp l- 0xFF 0x00  *   
  0.0.0.0/00.0.0.0/0  
  13 -   *
0 0 DENY   icmp l- 0xFF 0x00  *   
  0.0.0.0/00.0.0.0/0  
  14 -   *
0 0 DENY   all  l- 0xFF 0x00  eth0
  0.0.0.0  0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  255.255.255.255  0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  127.0.0.0/8  0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  224.0.0.0/4  0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  10.0.0.0/8   0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  172.16.0.0/120.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  192.168.0.0/16   0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  0.0.0.0/80.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  128.0.0.0/16 0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  191.255.0.0/16   0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0
  192.0.0.0/24 0.0.0.0/0  
  n/a
0 0 DENY   all  l- 0xFF 0x00  eth0

[leaf-user] simple? firewall port question - dachstein-1.0.2

[Michael Rogers]

I know this is probably simple and trivial, but I
can't get it to work for the life of me...

I use Dachstein-1.0.2 as a firewall for my windows
machines behind my t-1.  The only thing they do is
browse the internet and I ssh to my external servers,
play some games at times.. normal stuff.  There are no
servers behind the firewall that need to be opened to
the outside world.

My problem is I got a ps/2, with Socom-II and a
Mic/Headset, got the ps2 online behind the firewall
with no problems (I use static IP's for all my
machines).  But I can't get the mic/headset to work
online... it works in single player mode and online at
my cousins house behind a linksys router, so I know
the mic/headset is good.

I've tried numerous times/diffirent options to opening
up these ports for/to my ps/2  mic to work but with
no luck.  Reading up, I believe the ports I need to
open are:  tcp-10070 through 10080 and udp 6000-6999
and udp 10070.

Can anyone help me out with a simple way to open these
up for my ps/2...  my config IP's:
Dachstein system: 192.168.1.254
PS/2:  192.168.1.199

If you could reply to my email as well I'd appreciate
it as Im in digest mode, thanks for any help!

Michael Rogers
[EMAIL PROTECTED]


__
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


---
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html