/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Ashley M. Kirchner wrote:
> Using TrinityOS version firewall script version 3.70. I have the
> following set in these sections (lines wrapped for legibility):
>
> #--------------------------------------------------------------------
> # Explicit INPUT Access from external LAN Hosts
> #--------------------------------------------------------------------
> # The secure host
> #
> echo " * Allowing $SECUREHOST INPUT for ftp/-data, ssh, and shell"
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
> -d $EXTIP ftp
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
> -d $EXTIP ftp-data
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
> -d $EXTIP ssh
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST \
> -d $EXTIP shell
>
>
> #--------------------------------------------------------------------
> # Output to Explicit Hosts
> #--------------------------------------------------------------------
> echo " * Allowing $SECUREHOST OUTPUT for ftp/-data, ssh, and shell"
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp \
>
> -d $SECUREHOST $UNPRIVPORTS
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ftp-data \
>
> -d $SECUREHOST $UNPRIVPORTS
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP ssh \
>
> -d $SECUREHOST $UNPRIVPORTS
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -s $EXTIP shell \
>
> -d $SECUREHOST $UNPRIVPORTS
>
> Let's see what ipchains -L tells me:
>
> ACCEPT tcp ------ mail.pcraft.com yeehaw.csd.net any -> shell
> ACCEPT tcp ------ yeehaw.csd.net mail.pcraft.com shell -> 1024:65535
this looks wrong: why accept incoming packets from any port but only
accept outgoing packets to unprivileged ports? if a packet comes in
from a privileged port the reply packet won't be accepted (that's what
happened below).
> ...so, theoretically, it should work, right? Well, FTP and SSH both
> work. But, when I try a shell command (such as 'rcp'), I get the
> following in my logs:
>
> Sep 5 01:50:00 celerity kernel: Packet log: output REJECT ppp0 \
> PROTO=6 204.151.43.203:1023 206.168.220.51:514 L=60 S=0x00 \
> I=13684 F=0x0000 T=64 SYN (#98)
>
> ...and it repeats 4...5 times.
>
> Now, before you tell me to check permissions and stuff on the
> $SECUREHOST, I already went through that. There's another machine with
> the identical setup, and it works. So, why is this one not working?
the rejected packet is from port 1023 (privileged) to port 514.
these rules only allow outgoing packets from unprivileged ports
(1024:65535). either change the rules to match the protocol or
(preferable) stop using rsh and use ssh exclusively.
the reason it could have worked on other systems is that the source
port just happened to be unprivileged when you tried it.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
