[EMAIL PROTECTED] wrote:
>
> On Fri, 29 Jun 2001, Lan Barnes wrote:
>
> > I am new to the list, and have a question I am sure must be in an archive
> > or FAQ. Without going into too much detail, I want to poke a hole in my LRP
> > firewall so that I can ssh directly through the firewall into an internal
> > server.
> >
> > I'm still using an LRP version that uses ipfwadm. I'd be happy to upgrade
> > if that makes it easier, but would like to stay on my present firewall HW
> > (486SX w/ 16 Meg Ram, /dev/fd0 and no HD).
>
> Not required.
>
> > I'd be grateful if someone could point me to the right reading -- HOWTOs,
> > FAQs, or even chapters in O'Reilly books. Also if upgrading is needed, I
> > would be grateful for the URL(s) of the appropriate idiot images and
> > modules.
>
> http://lrp.c0wz.com/dox/portfw.txt
After a weekend of experimentation, I'm asking for guidance
again. The port forwarding doc at c0wz.com made me full of hope.
I added the following to my IP rules for boot up (tried these at
the command line first, of course):
ipportfw -A -t 24.25.197.34/22 -R 192.168.100.3/22
My test is to try to logon across the web by dialing out on the
phone to a dial-up ISP and executing "ssh 24.25.197.34" at the
command prompt. This laptop can ssh to the server fine when on
the internal LAN.
I thought perhaps I needed to prevent the port 22 packets from
being summarily rejected by ipfwadm, so I tried commenting out:
ipfwadm -F -p deny
... but that didn't help. I returned the default deny line and
superstitiously added:
ipfwadm -F -a accept -P tcp -S 0.0.0.0/0 -D 192.168.100.3/24 22
Still no go. I think it's time to ask again.
When I telnet to the firewall and spill what its rules are I get:
pancho# ipfwadm -Al
IP accounting rules
pancho# ipfwadm -Ol
IP firewall output rules, default policy: accept
pancho# ipfwadm -Il
IP firewall input rules, default policy: accept
type prot source destination ports
deny all pancho.falleagle.net anywhere n/a
deny all localnet/8 anywhere n/a
pancho# ipfwadm -Ml
IP masquerading entries
prot expire source destination ports
tcp 13:13.99 linus.falleagle.net
dyn25-pool1.sndg-pm4-1.nethere.net ssh (22) -> 1083
pancho# ipfwadm -Fl
IP firewall forward rules, default policy: deny
type prot source destination ports
acc tcp anywhere prom-net/24 any -> ssh
acc/m all prom-net/24 anywhere n/a
pancho# ipportfw -L
Prot Local Addr/Port > Remote Addr/Port
TCP 24.25.197.34/22 > 192.168.100.3/22
I hope that's enough data for someone more experienced to make
sense of what I'm trying to do, and what I'm omitting or doing
wrong.
TIA,
--
Lan Barnes [EMAIL PROTECTED]
Icon Consulting, Inc 858-273-6677
The Internet interprets censorship as damage and
routes around it.
- John Gilmore
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
