[ale] firewall help with mandrake 9.0

william R. Nash william at wrnash.net
Sun Jan 5 19:14:44 EST 2003


hello,  


    I need some help with my firewall.  Problem.  I cannot connect to my email 
server now after i install internet connection.  I can connect from the local 
computer but now i cannot connect from any workstations.  i thnink i have the 
port open.  can anyone help me with this.   thanks Bill Nash.


#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
#	Rules in this file govern connection establishment. Requests and
#	responses are automatically allowed using connection tracking.
#
#	In most places where an IP address or subnet is allowed, you
#	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
#	indicate that the rule matches all addresses except the address/subnet
#	given. Notice that no white space is permitted between "!" and the
#	address/subnet.
#
# Columns are:
#
#
#	ACTION		ACCEPT, DROP, REJECT, DNAT or REDIRECT
#
#				ACCEPT   -- allow the connection request
#				DROP     -- ignore the request
#				REJECT   -- disallow the request and return an
#					    icmp-unreachable or an RST packet.
#				DNAT     -- Forward the request to another
#					    system (and optionally another
#					    port).
#				REDIRECT -- Redirect the request to a local
#					    port on the firewall.
#
#			May optionally be followed by ":" and a syslog log
#			level (e.g, REJECT:info). This causes the packet to be
#			logged at the specified level.
#
#	SOURCE		Source hosts to which the rule applies. May be a zone
#                       defined in /etc/shorewall/zones or $FW to indicate the
#			firewall itself. If the ACTION is DNAT or REDIRECT,
#			sub-zones of the specified zone may be excluded from
#			the rule by following the zone name with "!' and a
#			comma-separated list of sub-zone names.
#
#			Clients may be further restricted to a list of subnets
#			and/or hosts by appending ":" and a comma-separated
#			list of subnets and/or hosts. Hosts may be specified
#			by IP or MAC address; mac addresses must begin with
#			"~" and must use "-" as a separator.
#
#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
#
#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
#						Internet
#
#			loc:192.168.1.1,192.168.1.2
#						Hosts 192.168.1.1 and
#						192.168.1.2 in the local zone.
#			loc:~00-A0-C9-15-39-78  Host in the local zone with
#                                               MAC address 00:A0:C9:15:39:78.
#
#			Alternatively, clients may be specified by interface
#			by appending ":" followed by the interface name. For
#			example, loc:eth1 specifies a client that
#			communicates with the firewall system through eth1.
#
#	DEST		Location of Server. May be a zone defined in
#			/etc/shorewall/zones or $FW to indicate the firewall
#			itself.
#
#			The server may be further restricted to a particular
#			subnet, host or interface by appending ":" and the
#			subnet, host or interface. See above.
#
#			The port that the server is listening on may be
#			included and separated from the server's IP address by
#			":". If omitted, the firewall will not modifiy the
#			destination port. A destination port may only be
#			included if the ACTION is DNAT or REDIRECT.
#
#			Example: loc:192.168.1.3:3128 specifies a local
#			server at IP address 192.168.1.3 and listening on port
#			3128. The port number MUST be specified as an integer
#			and not as a name from /etc/services.
#
#			if the ACTION is REDIRECT, this column needs only to
#			contain the port number on the firewall that the
#			request should be redirected to.
#
#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
#			"all" or "related". If "related", the remainder of the
#			entry must be omitted and connection requests that are
#			related to existing requests will be accepted.
#
#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
#			names (from /etc/services), port numbers or port
#			ranges; if the protocol is "icmp", this column is
#			interpreted as the destination icmp-type(s).
#
#			A port range is expressed as <low port>:<high port>.
#			
#			This column is ignored if PROTOCOL = all but must be
#			entered if any of the following ields are supplied.
#			In that case, it is suggested that this field contain
#			 "-"
#
#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
#			only a single Netfilter rule will be generated if in
#			this list and the CLIENT PORT(S) list below:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	CLIENT PORT(S)	(Optional) Port(s) used by the client. If omitted,
#			any source port is acceptable. Specified as a comma-
#			separated list of port names, port numbers or port
#			ranges.
#
#			If you don't want to restrict client ports but need to
#			specify an ADDRESS in the next column, then place "-"
#			in this column.
#
#			If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
#			only a single Netfilter rule will be generated if in
#			this list and the DEST PORT(S) list above:
#			1. There are 15 or less ports listed.
#			2. No port ranges are included.
#			Otherwise, a separate rule will be generated for each
#			port.
#
#	ORIGINAL DEST	(0ptional -- only allowed if ACTION is DNAT or 
#                       REDIRECT) If included and different from the IP
#			address given in the SERVER column, this is an address
#			on some interface on the firewall and connections to
#			that address will be forwarded to the IP and port
#			specified in the DEST column.
#
#			The address may optionally be followed by
#			a colon (":") and a second IP address. This causes
#			Shorewall to use the second IP address as the source
#			address in forwarded packets. See the Shorewall
#			documentation for restrictions concerning this feature.
#			If no source IP address is given, the original source
#			address is not altered.
#
#	Example: Accept SMTP requests from the DMZ to the internet
#
#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
#	#                               PORT    PORT(S) DEST
#	ACCEPT	dmz	net	  tcp	smtp
#
#	Example: Forward all ssh and http connection requests from the internet
#		 to local system 192.168.1.3
#
#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
#	#                                       PORT    PORT(S) DEST
#	DNAT	net	loc:192.168.1.3 tcp	ssh,http
#
#	Example: Redirect all locally-originating www connection requests to
#		 port 3128 on the firewall (Squid running on the firewall
#		 system) except when the destination address is 192.168.2.2
#
#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
#	#                               PORT    PORT(S) DEST
#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
#
#	Example: All http requests from the internet to address
#                130.252.100.69 are to be forwarded to 192.168.1.3
#
#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
#	#                               	PORT    PORT(S) DEST
#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
##############################################################################
#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
#                       	        	PORT    PORT(S)    DEST
ACCEPT	net	fw	udp	53,631	-
ACCEPT	net	fw	tcp	80,443,53,22,20,21,25,109,110,143,631	-
ACCEPT	masq	fw	udp	53,631	-
ACCEPT	masq	fw	tcp	80,443,53,22,20,21,25,109,110,143,631	-
ACCEPT	loc	fw	udp	53,631	-
ACCEPT	loc	fw	tcp	80,443,53,22,20,21,25,109,110,143,631	-
ACCEPT	masq	fw	tcp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp	-
ACCEPT	masq	fw	udp	domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp	-
ACCEPT	fw	masq	tcp	631,137,138,139	-
ACCEPT	fw	masq	udp	631,137,138,139	-
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list