hi, I have a powerpc machine of which i just installed Debian, (this machine is the only one with a modem) I have configured it for IP masquerading. however, I have a need to mount a NFS share from another machine in the private network on the powerpc, this of course requires running the portmapper, which happily opens up half a dozen different ports. What I would like to do is block connections from ppp0 to these ports. I have been reading various firewall and ipchains howtos (along with a OpenBSD document) and I found a trick in the OpenBSD ipfw howto where you can deny all tcp packets with the SYN flag set, this only denies incoming connections to a ports (someone trying to telnet in) however i found you cannot block all ports in this way without breaking ftp, irc and several other things. and only blocking privileged ports from device ppp0 seems to be causing some sort of problem when connecting as the kernel starts logging all kinds of DENY messages triggered by the last failsafe DENY rule set up for ipmasq. is there any way I can set this up so i can mount nfs shares without opening all the portmapper crud to the whole world? what i tried was adding 3 new rules to the very beginning of the input chain ipchains -I input 1 -p tcp -i ppp0 -d 0.0.0.0/0 53 -j ACCEPT ipchains -I input 2 -p tcp -i ppp0 -d 0.0.0.0/0 113 -j ACCEPT ipchains -I input 3 -l -p tcp -y -i ppp0 0.0.0.0/0 :1023 -j REJECT any suggestions? -- Ethan Benson To obtain my PGP key: http://www.alaska.net/~erbenson/pgp/
