Phillipus Gunawan wrote:> Hi There,
>
> I am using shorewall 4.0.14.2, and I got these lines on my
''rules''
> file:
>
> DNAT net loc:192.168.168.3 tcp 64198 REJECT net
> loc:192.168.168.1 tcp 80
>
> the first line is to redirect my bitTorrent and it is working OK But,
> I cant seems to reject port 80 goin in to my box
>
> I test it by loggin in to my friend computer via VNC, open his
> browser but I still can see my apache on my server, as I understand I
> cant test this rules within LAN itself.
>
> any opinion?
Yes. I suspect that the Shorewall system is wide open from the internet.
This is never a good thing.
You give us so few detaiils that it is impossible to say for certain but
here is what I suspect:
- 192.168.168.1 is the IP address of your firewall''s internal
interface.
- Apache is running on the firewall.
If those two things were true, the correct rule would be:
REJECT net $FW tcp 80
In that case, if you had configured Shorewall using the two-interface
quickstart guide (http://www.shorewall.net/two-interface.htm), you would
have a net->$FW policy of DROP which would prevent the connection in the
first place. Since that isn''t happening, I suspect that your
net->$FW
policy is ACCEPT.
If I have misunderstood the situation, then please to go
http://www.shorewall.net/support.htm#Guidelines and follow the
instructions there (Hint: You have a *Connection Problem* -- a
connection is being allowed that you do not expect).
Thanks
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H