Mark A. Olbert wrote: > The external interface on my firewalled router has two IP addresses, > 66.159.230.119 and 66.159.230.120. The secondary one (66.159.230.120) > should only accept/forward connections on https (port 443). However, > when I run a port checker on it (shieldsup, at www.grc.com > <http://www.grc.com>) it shows ports 25 and 80 as being open as well. > > > > The relevant entries in the rules and files are:
I'm aways amused when posters on this list claim to include the "relevant" information. In 99% of such cases, if the poster understood what was relevant to the problem being reported then he/she wouldn't have the problem in the first place. In your particular case, to be experiencing the problem that you are describing, you must also have rules that either DNAT and/or ACCEPT ports 25 and 80. > rules > > DNAT net loc:192.168.1.200 tcp https > - 66.159.230.120 > > masq > > eth1 eth0:!192.168.1.20 66.159.230.119 > eth1 192.168.1.200 66.159.230.120 One of those two is incorrect -- you have .20 in the first rule and .200 in the second. I suspect that the second is correct. > What additional settings do I need to close off ports 25 and 80 on the > secondary address? You need to change those irrelevant rules that you didn't include in your post to specify "!66.159.230.120 in the ORIGINAL DEST column. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
