[ale] firewall help with mandrake 9.0
Dow Hurst
dhurst at kennesaw.edu
Thu Jan 30 10:36:02 EST 2003
Just a quick glance makes me think that you don't have a rule for
letting returning packets back in from the Internet to the local net.
Note your source and destinations. Your firewall sure is allowed to see
alot of stuff it doesn't need to while the local net doesn't get packets
coming from the Internet. I am not an iptables person nor a smoothwall
person. You need to test some more rules though.
Dow
william R. Nash wrote:
>hello,
>
>
> I need some help with my firewall. Problem. I cannot connect to my email
>server now after i install internet connection. I can connect from the local
>computer but now i cannot connect from any workstations. i thnink i have the
>port open. can anyone help me with this. thanks Bill Nash.
>
>
>#
># Shorewall version 1.3 - Rules File
>#
># /etc/shorewall/rules
>#
># Rules in this file govern connection establishment. Requests and
># responses are automatically allowed using connection tracking.
>#
># In most places where an IP address or subnet is allowed, you
># can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
># indicate that the rule matches all addresses except the address/subnet
># given. Notice that no white space is permitted between "!" and the
># address/subnet.
>#
># Columns are:
>#
>#
># ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT
>#
># ACCEPT -- allow the connection request
># DROP -- ignore the request
># REJECT -- disallow the request and return an
># icmp-unreachable or an RST packet.
># DNAT -- Forward the request to another
># system (and optionally another
># port).
># REDIRECT -- Redirect the request to a local
># port on the firewall.
>#
># May optionally be followed by ":" and a syslog log
># level (e.g, REJECT:info). This causes the packet to be
># logged at the specified level.
>#
># SOURCE Source hosts to which the rule applies. May be a zone
># defined in /etc/shorewall/zones or $FW to indicate the
># firewall itself. If the ACTION is DNAT or REDIRECT,
># sub-zones of the specified zone may be excluded from
># the rule by following the zone name with "!' and a
># comma-separated list of sub-zone names.
>#
># Clients may be further restricted to a list of subnets
># and/or hosts by appending ":" and a comma-separated
># list of subnets and/or hosts. Hosts may be specified
># by IP or MAC address; mac addresses must begin with
># "~" and must use "-" as a separator.
>#
># dmz:192.168.2.2 Host 192.168.2.2 in the DMZ
>#
># net:155.186.235.0/24 Subnet 155.186.235.0/24 on the
># Internet
>#
># loc:192.168.1.1,192.168.1.2
># Hosts 192.168.1.1 and
># 192.168.1.2 in the local zone.
># loc:~00-A0-C9-15-39-78 Host in the local zone with
># MAC address 00:A0:C9:15:39:78.
>#
># Alternatively, clients may be specified by interface
># by appending ":" followed by the interface name. For
># example, loc:eth1 specifies a client that
># communicates with the firewall system through eth1.
>#
># DEST Location of Server. May be a zone defined in
># /etc/shorewall/zones or $FW to indicate the firewall
># itself.
>#
># The server may be further restricted to a particular
># subnet, host or interface by appending ":" and the
># subnet, host or interface. See above.
>#
># The port that the server is listening on may be
># included and separated from the server's IP address by
># ":". If omitted, the firewall will not modifiy the
># destination port. A destination port may only be
># included if the ACTION is DNAT or REDIRECT.
>#
># Example: loc:192.168.1.3:3128 specifies a local
># server at IP address 192.168.1.3 and listening on port
># 3128. The port number MUST be specified as an integer
># and not as a name from /etc/services.
>#
># if the ACTION is REDIRECT, this column needs only to
># contain the port number on the firewall that the
># request should be redirected to.
>#
># PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
># "all" or "related". If "related", the remainder of the
># entry must be omitted and connection requests that are
># related to existing requests will be accepted.
>#
># DEST PORT(S) Destination Ports. A comma-separated list of Port
># names (from /etc/services), port numbers or port
># ranges; if the protocol is "icmp", this column is
># interpreted as the destination icmp-type(s).
>#
># A port range is expressed as <low port>:<high port>.
>#
># This column is ignored if PROTOCOL = all but must be
># entered if any of the following ields are supplied.
># In that case, it is suggested that this field contain
># "-"
>#
># If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
># only a single Netfilter rule will be generated if in
># this list and the CLIENT PORT(S) list below:
># 1. There are 15 or less ports listed.
># 2. No port ranges are included.
># Otherwise, a separate rule will be generated for each
># port.
>#
># CLIENT PORT(S) (Optional) Port(s) used by the client. If omitted,
># any source port is acceptable. Specified as a comma-
># separated list of port names, port numbers or port
># ranges.
>#
># If you don't want to restrict client ports but need to
># specify an ADDRESS in the next column, then place "-"
># in this column.
>#
># If MULTIPORT=Yes in /etc/shorewall/shorewall.conf, then
># only a single Netfilter rule will be generated if in
># this list and the DEST PORT(S) list above:
># 1. There are 15 or less ports listed.
># 2. No port ranges are included.
># Otherwise, a separate rule will be generated for each
># port.
>#
># ORIGINAL DEST (0ptional -- only allowed if ACTION is DNAT or
># REDIRECT) If included and different from the IP
># address given in the SERVER column, this is an address
># on some interface on the firewall and connections to
># that address will be forwarded to the IP and port
># specified in the DEST column.
>#
># The address may optionally be followed by
># a colon (":") and a second IP address. This causes
># Shorewall to use the second IP address as the source
># address in forwarded packets. See the Shorewall
># documentation for restrictions concerning this feature.
># If no source IP address is given, the original source
># address is not altered.
>#
># Example: Accept SMTP requests from the DMZ to the internet
>#
># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># # PORT PORT(S) DEST
># ACCEPT dmz net tcp smtp
>#
># Example: Forward all ssh and http connection requests from the internet
># to local system 192.168.1.3
>#
># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># # PORT PORT(S) DEST
># DNAT net loc:192.168.1.3 tcp ssh,http
>#
># Example: Redirect all locally-originating www connection requests to
># port 3128 on the firewall (Squid running on the firewall
># system) except when the destination address is 192.168.2.2
>#
># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># # PORT PORT(S) DEST
># REDIRECT loc 3128 tcp www - !192.168.2.2
>#
># Example: All http requests from the internet to address
># 130.252.100.69 are to be forwarded to 192.168.1.3
>#
># #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># # PORT PORT(S) DEST
># DNAT net loc:192.168.1.3 tcp 80 - 130.252.100.69
>##############################################################################
>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
># PORT PORT(S) DEST
>ACCEPT net fw udp 53,631 -
>ACCEPT net fw tcp 80,443,53,22,20,21,25,109,110,143,631 -
>ACCEPT masq fw udp 53,631 -
>ACCEPT masq fw tcp 80,443,53,22,20,21,25,109,110,143,631 -
>ACCEPT loc fw udp 53,631 -
>ACCEPT loc fw tcp 80,443,53,22,20,21,25,109,110,143,631 -
>ACCEPT masq fw tcp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -
>ACCEPT masq fw udp domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -
>ACCEPT fw masq tcp 631,137,138,139 -
>ACCEPT fw masq udp 631,137,138,139 -
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>
>
--
__________________________________________________________
Dow Hurst Office: 770-499-3428
Systems Support Specialist Fax: 770-423-6744
1000 Chastain Rd., Bldg. 12
Chemistry Department SC428 Email:dhurst at kennesaw.edu
Kennesaw State University Dow.Hurst at mindspring.com
Kennesaw, GA 30144
*********************************
*Computational Chemistry is fun!*
*********************************
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list