The external interface on my firewalled router has two IP addresses, 66.159.230.119 and 66.159.230.120. The secondary one (66.159.230.120) should only accept/forward connections on https (port 443). However, when I run a port checker on it (shieldsup, at www.grc.com<http://www.grc.com>) it shows ports 25 and 80 as being open as well. The relevant entries in the rules and files are: rules DNAT net loc:192.168.1.200 tcp https - 66.159.230.120 masq eth1 eth0:!192.168.1.20 66.159.230.119 eth1 192.168.1.200 66.159.230.120 What additional settings do I need to close off ports 25 and 80 on the secondary address? - Mark ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark A. Olbert wrote:> The external interface on my firewalled router has two IP addresses, > 66.159.230.119 and 66.159.230.120. The secondary one (66.159.230.120) > should only accept/forward connections on https (port 443). However, > when I run a port checker on it (shieldsup, at www.grc.com > <http://www.grc.com>) it shows ports 25 and 80 as being open as well. > > > > The relevant entries in the rules and files are:I''m aways amused when posters on this list claim to include the "relevant" information. In 99% of such cases, if the poster understood what was relevant to the problem being reported then he/she wouldn''t have the problem in the first place. In your particular case, to be experiencing the problem that you are describing, you must also have rules that either DNAT and/or ACCEPT ports 25 and 80.> rules > > DNAT net loc:192.168.1.200 tcp https > - 66.159.230.120 > > masq > > eth1 eth0:!192.168.1.20 66.159.230.119 > eth1 192.168.1.200 66.159.230.120One of those two is incorrect -- you have .20 in the first rule and .200 in the second. I suspect that the second is correct.> What additional settings do I need to close off ports 25 and 80 on the > secondary address?You need to change those irrelevant rules that you didn''t include in your post to specify "!66.159.230.120 in the ORIGINAL DEST column. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Gee, my apologies, oh great and glorious god, for mistakenly picking an incorrect word in my informal email. I promise I will do better next time and crawl on my belly before your majesty. Thanks for your help. - Mark -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, October 02, 2008 3:00 PM To: Shorewall Users Subject: Re: [Shorewall-users] Tweak Mulithomed Interface Mark A. Olbert wrote:> The external interface on my firewalled router has two IP addresses, > 66.159.230.119 and 66.159.230.120. The secondary one (66.159.230.120) > should only accept/forward connections on https (port 443). However, > when I run a port checker on it (shieldsup, at www.grc.com > <http://www.grc.com>) it shows ports 25 and 80 as being open as well. > > > > The relevant entries in the rules and files are:I''m aways amused when posters on this list claim to include the "relevant" information. In 99% of such cases, if the poster understood what was relevant to the problem being reported then he/she wouldn''t have the problem in the first place. In your particular case, to be experiencing the problem that you are describing, you must also have rules that either DNAT and/or ACCEPT ports 25 and 80.> rules > > DNAT net loc:192.168.1.200 tcp https > - 66.159.230.120 > > masq > > eth1 eth0:!192.168.1.20 66.159.230.119 > eth1 192.168.1.200 66.159.230.120One of those two is incorrect -- you have .20 in the first rule and .200 in the second. I suspect that the second is correct.> What additional settings do I need to close off ports 25 and 80 on the > secondary address?You need to change those irrelevant rules that you didn''t include in your post to specify "!66.159.230.120 in the ORIGINAL DEST column. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net __________ Information from ESET NOD32 Antivirus, version of virus signature database 3490 (20081002) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3490 (20081002) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark A. Olbert wrote:> Gee, my apologies, oh great and glorious god, for mistakenly picking an > incorrect word in my informal email. I promise I will do better next time and > crawl on my belly before your majesty. > > Thanks for your help. > > - MarkMark, That was uncalled for. Please read Tom''s answer at least one more time. Thoroughly. Not only has he probably told you what the problem is, despite lack of provided details, but he also told you how to better ask for help in the future. And he did that in a humorous way. I guess you didn''t see his tongue-in-cheek. /Martin Leben ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
What makes you think I wasn''t trying to be funny in response? FWIW, my motivation was to not send a giant email around with the entire content of my various config files. Should I ever have occasion to ask a question here in the future I will be sure to do that, so as to not accidentally leave out any potentially helpful information. I should also point out that I read his email three or four times before I sent my reply. I find that a good thing to do, particularly if I''m going to try and poke some fun. - Mark -----Original Message----- From: Martin Leben [mailto:ml060223@leben.nu] Sent: Thursday, October 02, 2008 3:55 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Tweak Mulithomed Interface Mark A. Olbert wrote:> Gee, my apologies, oh great and glorious god, for mistakenly picking an > incorrect word in my informal email. I promise I will do better next time and > crawl on my belly before your majesty. > > Thanks for your help. > > - MarkMark, That was uncalled for. Please read Tom''s answer at least one more time. Thoroughly. Not only has he probably told you what the problem is, despite lack of provided details, but he also told you how to better ask for help in the future. And he did that in a humorous way. I guess you didn''t see his tongue-in-cheek. /Martin Leben ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users __________ Information from ESET NOD32 Antivirus, version of virus signature database 3490 (20081002) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3490 (20081002) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark A. Olbert wrote:> What makes you think I wasn''t trying to be funny in response?I assumed you were.> > FWIW, my motivation was to not send a giant email around with > the entire content of my various config files. Should I ever have > occasion to ask a question here in the future I will be sure to do > that, so as to not accidentally leave out any potentially > helpful information.Should that occasion arise, we would appreciate it if you would follow the guidelines published at http://www.shorewall.net/support.htm#Guidelines. While following those guidelines won''t reduce the bulk of the email, it will give us the information we need to quickly solve your problem.> I should also point out that I read his email three or four times > before I sent my reply.And I read yours several times before deciding *not* to reply :-) Thanks! -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/