Hi Rich, > To support Mac/Linux krb5 clients and to avoid timeouts, allow ports > 88,389,636 for both UDP and TCP. Thanks! We only tested it for MS based machines, I will add those ports in the FAQ.
> > The FORWARD chain defaults to DROP. So you need to duplicate the custom -A > input-internal-vlan-if rules, or maybe define a new named chain that gets > appended to both input-internal-vlan-if and FORWARD. I don't think we want > all of input-internal-vlan-if chain allowed for FORWARD. > > Something like: > > -A input-internal-vlan-if --protocol udp -m multiport -d (dc) --dports > 88,389,636,137,138 -j ACCEPT > -A input-internal-vlan-if --protocol tcp -m multiport -d (dc) --dports > 88,389,636,139,445 -j ACCEPT > > -A FORWARD -i eth1 -s (registration) -d (dc) -p udp -m multiport --dports > 88,389,636,137,138 -j ACCEPT > -A FORWARD -i eth1 -s (registration) -d (dc) -p tcp -m multiport --dports > 88,389,636,139,445 -j ACCEPT > -A FORWARD -i eth1 -s (isolation) -d (dc) -p udp -m multiport --dports > 88,389,636,137,138 -j ACCEPT > -A FORWARD -i eth1 -s (isolation) -d (dc) -p tcp -m multiport --dports > 88,389,636,139,445 -j ACCEPT I don't think it is necessary to add those in the FORWARD. There is the "accept any any RELATED, ESTABLISHED" line in there, we should be OK with it... Even for UDP. I think iptables is able to keep track of the UDP src/dst ip/port and recognized a response. Thanks. -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
