Re: [Shorewall-users] Shorewall with FTP and WEB Server Connection problem

Fri, 10 Jul 2009 07:31:22 -0700 

Tom Eastep wrote:
> wisnu dwi hidayat wrote:
> 
>> /etc/shorewall/rules
>> ########################################################################
>>
>> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK
>>
>> # PORT PORT(S) DEST LIMIT GROUP
>>
>> #SECTION ESTABLISHED
>>
>> #SECTION RELATED
>>
>>
>> ACCEPT local fw tcp 53
>> ACCEPT local fw udp 53
>> ACCEPT net fw tcp 53
>> ACCEPT net fw udp 53
> 
> You run a public DNS server on your firewall?
> 
>> ACCEPT local fw tcp 80
>> ACCEPT net fw tcp 80
> 
> And an HTTP server?
> 
>> ACCEPT local fw tcp 20
> 
> NO NO NO NO -- Please read http://www.shorewall.net/FTP.html
>> ACCEPT local fw tcp 21
>>
>> ACCEPT local fw tcp 22
>> ACCEPT net fw tcp 22
>> ACCEPT fw local tcp 22
>>
>> ACCEPT local fw tcp 10000
>> ACCEPT net fw tcp 10000
>>
>> ACCEPT net fw tcp 25,110,143
>> ACCEPT fw net tcp 25,110,143
>> ACCEPT local fw tcp 25,110,143
>> REJECT local net tcp 25,110,143
> 
> You have no net->local ACCEPT rules so connections from the internet to
> your server are not allowed.
> 
> You seem to be confused about how zones work. Your ftp server/web
> server/Proxy is in the 'local' zone, not the 'fw' zone. Connections to
> that server from the internet require rules of the form:
> 
> ACCEPT        net     local   ...

Example:

ACCEPT  net     local:60.x.x.2  tcp     21    #Allow FTP access from the
                                              #Internet

Rewritten to use the FTP macro:

FTP/ACCEPT      net     local:60.x.x.2

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to