Re: [Masq] ipchains problem

Ashley M. Kirchner Tue, 05 Sep 2000 02:52:05 -0700
/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


On Tue, 5 Sep 2000, raf wrote:

: > ACCEPT tcp ------ mail.pcraft.com  yeehaw.csd.net   any ->   shell
: > ACCEPT tcp ------ yeehaw.csd.net   mail.pcraft.com  shell -> 1024:65535
: 
: this looks wrong: why accept incoming packets from any port but only
: accept outgoing packets to unprivileged ports? if a packet comes in

        This was changed two minutes after I had sent my message out to
be 'any -> shell' and 'shell -> any', it still did the same thing: refuse
from both ends.

: the rejected packet is from port 1023 (privileged) to port 514.
: these rules only allow outgoing packets from unprivileged ports
: (1024:65535). either change the rules to match the protocol or
: (preferable) stop using rsh and use ssh exclusively.
: 
: the reason it could have worked on other systems is that the source
: port just happened to be unprivileged when you tried it.

        I checked on the other systems as well, and the ports are the
same, meaning 1023 and 514.  Both machines are contacting the same main
server, and both of them are issuing the same exact command (rcp a local
file to the remote server). The ipchain rules are identical on both
machines.  Heck, even the OS' are the same.

        This baffles me.

        AMK4

--
W | Unix -is- user  friendly.   It's  just very selective about who its
  | friends are.  And sometimes even best friends have fights.
  |____________________________________________________________________
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Ashley M. Kirchner <[EMAIL PROTECTED]>          .   303.442.6410 x130
  SysAdmin / Websmith                           .     800.441.3873 x130
  Photo Craft Laboratories, Inc.             .        3550 Arapahoe Ave
  http://www.pcraft.com                  .            Boulder, CO 80303
  .................. .  .  .     .

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
Re: [Masq] ipchains problem

Reply via email to
