I changed the TCP_PUBLIC_SERVICES to ='8443' and the ipchains rule from
"0.0.0.0/0" to "external ip address/32"
My boss tried it and it and the browser timed out. I haven't had a chance to
look at the messages file yet, but do you have any ideas?
Thanks,
Steve
-----Original Message-----
From: Renaud Chaillat [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 17, 2001 4:58 AM
To: [EMAIL PROTECTED]
Subject: Re: [Cooker-firewall] Administering from and External Address
On Tuesday 17 April 2001 10:11, you wrote:
> On Sunday 15 April 2001 00:16, you wrote:
> > I showed Mandrake Security to my Boss and he loved it. He wants to look
> > into installing it at our clients networks around the region. We would
> > need to administer it from our main office.
> >
> > Which file would I need to modify to enter an IP address that's allowed
> > to manage Mandrake Firewall from an external IP address?
> >
> > We need to be able to manage the system from over the internet but want
> > to set it to only respond to a specific IP address.
>
> Hi,
>
> You need to open the port 8443 in "Internet Traffic" to allow
> the connection to your firewall from the outside.
>
> You can then connect using
> https://external_IP:8443/
And I should have read your mail more thouroughly...
You need to look at /etc/bastille-firewall.conf and
/etc/ini.d/bastille-firewall, and adapt it to specify a
source IP to the rule allowing incoming public traffic
(see the TCP_PUBLIC_SERVICES variable and the rule
using it).
You could even add this feature to the web frontend with a little more
work, tell us if you're interested (the developer documentation is not
finished yet, but we can help you: all that is required is a few lines of
xml).
The frontend writes in the variable TCP_PUBLIC_SERVICES in the naat tool
configuration file (/var/lib/naat/configuration). This variable lists the
allowed ports with the format: port1 (forward=xxx action=allow), port2
(forward=... action=...), and so on.
For instance: ftp (forward=192.168.1.42 action=allow), 8443 (forward=---
action=allow)
The TCP_PUBLIC_SERVICES variable in /etc/bastille-firewall.conf lists
only the ports (extracted from above). You can look at the template
/usr/share/naat/templates/etc/bastille-firewall.conf
We could add a "from" parameter to restrict to a specific source IP:
8443 (forward=--- action=allow from=xxx.xxx.xxx.xxx)
and adapt the template to bastille-firewall.conf and the bastille-firewall
init script to use this "from" parameter.
Hope this helps. Tell us if you need any more informations.
Regards,
Renaud
