Re: [e-smith-devinfo] IPChains drivers me crazy !

Gordon Rowell
Fri, 24 Aug 2001 21:31:53 -0700
On Sat, Aug 25, 2001 at 03:02:11AM +0200, Brossin Pierrick <[EMAIL PROTECTED]> 
wrote:
> Hey gurus !
> 
> I'm trying to close the port 95 on eth1 (external network)
> so user from the internet cant get connected to it.

Ports 0..1023 are closed by default in server-gateway mode.

> Here is why I didnt and it actually didnt work :(
> 
> mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
> cp -rf /etc/e-smith/templates/etc/rc.d/init.d/masq
> /etc/e-smith/templates-custom/etc/rc.d/init.d

You no longer need to do this (since e-smith 4.1). You only need to
copy the fragment you want to modify. In this case, you want to add one,
so you only have to create the directory and the new fragment.

See www.e-smith.org/custom - it has been updated to reflect these
changes to the template system.

> vi 45DenyPort95
> I wrote  "/sbin/ipchains -A input -p tcp -s $OUTERNET 95 -d 0/0 -j denylog"
> I saved it
> then /sbin/e-smith/expand-template /etc/rc.d/init.d/masq

/sbin/e-smith/db set DebugTemplateExpansion enabled

And then run expand-template again. This will help you see if you made
a typo somewhere - it will show you each file selected by the template
processing code.

> then service masq restart.

The "service" command is not guaranteed to work. It is better to use
the rc7.d scripts directly as they check the configuration database to
see whether the relevant service has been configured to run or stop.

Even better in this case

  /sbin/e-smith/signal-event remoteaccess-update

which will expand the templates and restart services as required.

> But it's still accessible...
>
> Any idea ?

Are you by any chance running in server-only mode? (Unlikely since
you have an external interface).

If so, please read Section 5.9.2 of the manual:

    http://www.e-smith.org/docs/manual/4.1/operationmode.html

DO NOT run in server-only mode on a public network. It is designed
for use on a local network, behind a firewall. We have reworded the
console screen for 5.0 to make this more obvious:

  [...]
  Server-only mode provides services to a local, protected network. If
  you choose this mode and Internet access is required, the network must
  be protected by another March Networks SME Server configured in server
  and gateway mode (or another firewall).
  [...]

Thanks,

Gordon
--
  Gordon Rowell                        [EMAIL PROTECTED]
  VP Engineering
  Network Server Solutions Group       http://www.e-smith.com
  Mitel Networks Corporation           http://www.mitel.com


--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
Reply via email to