Re: [leaf-user] simple? firewall port question - dachstein-1.0.2
--- Ray Olszewski [EMAIL PROTECTED] wrote: Without getting bogged down in too much detail -- I did some research on your problem and I **think** it lies in the details of how ipchains does NATing and port forwarding. This URL -- http://saturn5.hn.org/ps2.html -- explains what you need to do and how to do it on a BSD router. I can translate that for iptables, but I'm too rusty on ipchains to do it there (or even to know for sure whether it *can* be done). Perhap someone here who remembers the intricacies of ipchains better than I can pick this up and provide the needed detail. The short version: the system needs a set of NATing rules that NAT LAN sport 6000-6999, -AND- will ACCEPT unrelated traffic back to those ports. I can believe that Linksys router do this ... they are way less paranoid than LEAF routers. Standard ipchains port forwarding (I **think**) doesn't do this because it does not reliably NAT connections *originating* from the LAN host at (say) port 6000 to router external port 6000 ... it only port-forwards traffic originating to router external port 6000 correctly. This makes sense, but I'm having trouble finding any info on getting this translated to ipchains... anyone else have a clue how to do this??? Or, is there a way to just put my ps/2's IP only under a DMZ without affecting my other pc's? Michael Rogers __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] simple? firewall port question - dachstein-1.0.2
--- Ray Olszewski [EMAIL PROTECTED] wrote: At 12:34 PM 12/29/2003 -0800, Michael Rogers wrote: I know this is probably simple and trivial, but I can't get it to work for the life of me... I use Dachstein-1.0.2 as a firewall for my windows machines behind my t-1. The only thing they do is browse the internet and I ssh to my external servers, play some games at times.. normal stuff. There are no servers behind the firewall that need to be opened to the outside world. My problem is I got a ps/2, with Socom-II and a Mic/Headset, got the ps2 online behind the firewall with no problems (I use static IP's for all my machines). But I can't get the mic/headset to work online... it works in single player mode and online at my cousins house behind a linksys router, so I know the mic/headset is good. I've tried numerous times/diffirent options to opening up these ports for/to my ps/2 mic to work but with no luck. Reading up, I believe the ports I need to open are: tcp-10070 through 10080 and udp 6000-6999 and udp 10070. Can anyone help me out with a simple way to open these up for my ps/2... my config IP's: Dachstein system: 192.168.1.254 PS/2: 192.168.1.199 It would be easier to help if you provided the standard disgnostics for your system (see the SR FAQ). Without them, I'll offer a guess -- firewalls of the vintage of Dach often blocked access to remote ports around 6000, due to a well-known security hole involving remote X Window connections. My *guess* is that the version of Dach you are using -- or the drop-in firewall, if you are using EchoWall or Seawall -- includes that limitation, and that's what is biting you. If so, there is some entry in /etc/network.conf, or a related file -- or the config file for the drop-in firewall -- that puts a DENY rule for these ports into one of the chains (proably OUTPUT). Also, the phrase open up is meaningless in this context. Do you merely mean that the firewall has to ACCEPT traffic to and from these ports, or that it has to port-forward it to a specific IP address, or that it needs some sort of special helper module (like ftp does), or what? Did your cousin need to do anything special with the Linksys, for example ... that would give a good hint of what the Dach firewall needs to be told. Ok, sorry about that, I should have read that SR Faq first, anyway I built this years ago, so don't exactly remember what was all in it. I uploaded the disk image I used at: http://www.tristateweb.com/dachstein-v1.0.2-1680.exe If anyone wanted to get it to check. Also (this may do the trick) here is some of the standard diagnostic as in the FAQ: uname -a: Linux firewall 2.2.19-3-LEAF #1 Sat Dec 1 12:15:05 CST 2001 i386 unknown lsmod: ones Im using are: ip_masq_portfw, ip_masq_mfw, ip_masq_ftp, ip_masq_autofw, ne2k-pci, 8390, pci-scan ipchains -nvL: produced way to much to retype here, but from the web interface/firewall rules I get: Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize source destination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/80.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0
Re: [leaf-user] simple? firewall port question - dachstein-1.0.2
Without getting bogged down in too much detail -- I did some research on your problem and I **think** it lies in the details of how ipchains does NATing and port forwarding. This URL -- http://saturn5.hn.org/ps2.html -- explains what you need to do and how to do it on a BSD router. I can translate that for iptables, but I'm too rusty on ipchains to do it there (or even to know for sure whether it *can* be done). Perhap someone here who remembers the intricacies of ipchains better than I can pick this up and provide the needed detail. The short version: the system needs a set of NATing rules that NAT LAN sport 6000-6999, -AND- will ACCEPT unrelated traffic back to those ports. I can believe that Linksys router do this ... they are way less paranoid than LEAF routers. Standard ipchains port forwarding (I **think**) doesn't do this because it does not reliably NAT connections *originating* from the LAN host at (say) port 6000 to router external port 6000 ... it only port-forwards traffic originating to router external port 6000 correctly. At 09:24 AM 12/30/2003 -0800, Michael Rogers wrote: --- Ray Olszewski [EMAIL PROTECTED] wrote: At 12:34 PM 12/29/2003 -0800, Michael Rogers wrote: I know this is probably simple and trivial, but I can't get it to work for the life of me... [details deleted] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] simple? firewall port question - dachstein-1.0.2
I still have one Dachstein firewall kicking around. There were specific modules (helpers) to get around some of the more complicated stuff that ipchains didn't handle. These modules went by the name: ip_masq_x These were a bunch of these. They are like the ip_contrack modules for iptables. Some of them were: ip_masq_ftp ip_masq_quake ip_masq_h323 If you look in /etc/modules you will see a list of them near the bottom. I have no idea if any of these pertain to your application, or if there is one for your app that could be compiled for Dachstein. It is a direction to look though! ;-) Good luck, Sean On Tue, 2003-12-30 at 14:01, Ray Olszewski wrote: Without getting bogged down in too much detail -- I did some research on your problem and I **think** it lies in the details of how ipchains does NATing and port forwarding. This URL -- http://saturn5.hn.org/ps2.html -- explains what you need to do and how to do it on a BSD router. I can translate that for iptables, but I'm too rusty on ipchains to do it there (or even to know for sure whether it *can* be done). Perhap someone here who remembers the intricacies of ipchains better than I can pick this up and provide the needed detail. The short version: the system needs a set of NATing rules that NAT LAN sport 6000-6999, -AND- will ACCEPT unrelated traffic back to those ports. I can believe that Linksys router do this ... they are way less paranoid than LEAF routers. Standard ipchains port forwarding (I **think**) doesn't do this because it does not reliably NAT connections *originating* from the LAN host at (say) port 6000 to router external port 6000 ... it only port-forwards traffic originating to router external port 6000 correctly. At 09:24 AM 12/30/2003 -0800, Michael Rogers wrote: --- Ray Olszewski [EMAIL PROTECTED] wrote: At 12:34 PM 12/29/2003 -0800, Michael Rogers wrote: I know this is probably simple and trivial, but I can't get it to work for the life of me... [details deleted] --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] simple? firewall port question - dachstein-1.0.2
I know this is probably simple and trivial, but I can't get it to work for the life of me... I use Dachstein-1.0.2 as a firewall for my windows machines behind my t-1. The only thing they do is browse the internet and I ssh to my external servers, play some games at times.. normal stuff. There are no servers behind the firewall that need to be opened to the outside world. My problem is I got a ps/2, with Socom-II and a Mic/Headset, got the ps2 online behind the firewall with no problems (I use static IP's for all my machines). But I can't get the mic/headset to work online... it works in single player mode and online at my cousins house behind a linksys router, so I know the mic/headset is good. I've tried numerous times/diffirent options to opening up these ports for/to my ps/2 mic to work but with no luck. Reading up, I believe the ports I need to open are: tcp-10070 through 10080 and udp 6000-6999 and udp 10070. Can anyone help me out with a simple way to open these up for my ps/2... my config IP's: Dachstein system: 192.168.1.254 PS/2: 192.168.1.199 If you could reply to my email as well I'd appreciate it as Im in digest mode, thanks for any help! Michael Rogers [EMAIL PROTECTED] __ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] simple? firewall port question - dachstein-1.0.2
At 12:34 PM 12/29/2003 -0800, Michael Rogers wrote: I know this is probably simple and trivial, but I can't get it to work for the life of me... I use Dachstein-1.0.2 as a firewall for my windows machines behind my t-1. The only thing they do is browse the internet and I ssh to my external servers, play some games at times.. normal stuff. There are no servers behind the firewall that need to be opened to the outside world. My problem is I got a ps/2, with Socom-II and a Mic/Headset, got the ps2 online behind the firewall with no problems (I use static IP's for all my machines). But I can't get the mic/headset to work online... it works in single player mode and online at my cousins house behind a linksys router, so I know the mic/headset is good. I've tried numerous times/diffirent options to opening up these ports for/to my ps/2 mic to work but with no luck. Reading up, I believe the ports I need to open are: tcp-10070 through 10080 and udp 6000-6999 and udp 10070. Can anyone help me out with a simple way to open these up for my ps/2... my config IP's: Dachstein system: 192.168.1.254 PS/2: 192.168.1.199 It would be easier to help if you provided the standard disgnostics for your system (see the SR FAQ). Without them, I'll offer a guess -- firewalls of the vintage of Dach often blocked access to remote ports around 6000, due to a well-known security hole involving remote X Window connections. My *guess* is that the version of Dach you are using -- or the drop-in firewall, if you are using EchoWall or Seawall -- includes that limitation, and that's what is biting you. If so, there is some entry in /etc/network.conf, or a related file -- or the config file for the drop-in firewall -- that puts a DENY rule for these ports into one of the chains (proably OUTPUT). Also, the phrase open up is meaningless in this context. Do you merely mean that the firewall has to ACCEPT traffic to and from these ports, or that it has to port-forward it to a specific IP address, or that it needs some sort of special helper module (like ftp does), or what? Did your cousin need to do anything special with the Linksys, for example ... that would give a good hint of what the Dach firewall needs to be told. --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278alloc_id=3371op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
