In the wise words of Renaud Chaillat:
> On Tuesday 17 April 2001 10:11, you wrote:
> > On Sunday 15 April 2001 00:16, you wrote:
> > > I showed Mandrake Security to my Boss and he loved it. He wants to look
> > > into installing it at our clients networks around the region. We would
> > > need to administer it from our main office.
> > >
> > > Which file would I need to modify to enter an IP address that's allowed
> > > to manage Mandrake Firewall from an external IP address?
> > >
> > > We need to be able to manage the system from over the internet but want
> > > to set it to only respond to a specific IP address.
> >
> > Hi,
> >
> > You need to open the port 8443 in "Internet Traffic" to allow
> > the connection to your firewall from the outside.
> >
> > You can then connect using
> > https://external_IP:8443/
>
> And I should have read your mail more thouroughly...
>
> You need to look at /etc/bastille-firewall.conf and
> /etc/ini.d/bastille-firewall, and adapt it to specify a
> source IP to the rule allowing incoming public traffic
> (see the TCP_PUBLIC_SERVICES variable and the rule
> using it).
>
> You could even add this feature to the web frontend with a little more
> work, tell us if you're interested (the developer documentation is not
> finished yet, but we can help you: all that is required is a few lines of
> xml).
>
> The frontend writes in the variable TCP_PUBLIC_SERVICES in the naat tool
> configuration file (/var/lib/naat/configuration). This variable lists the
> allowed ports with the format: port1 (forward=xxx action=allow), port2
> (forward=... action=...), and so on.
> For instance: ftp (forward=192.168.1.42 action=allow), 8443 (forward=---
> action=allow)
> The TCP_PUBLIC_SERVICES variable in /etc/bastille-firewall.conf lists
> only the ports (extracted from above). You can look at the template
> /usr/share/naat/templates/etc/bastille-firewall.conf
>
> We could add a "from" parameter to restrict to a specific source IP:
> 8443 (forward=--- action=allow from=xxx.xxx.xxx.xxx)
> and adapt the template to bastille-firewall.conf and the bastille-firewall
> init script to use this "from" parameter.
>
I really think he should probably be a "custom rule" in the Bastille firewall.
They're looking to allow access from only one IP, not every IP.
- Jay
