Hi, I am sorry to disturb you. I''ve got your e-mails from Shorewall mailing list. I have problem - Linux pc (at 192.168.0.1 + external ip) which runs 2-interface shorewall (along with mail/web/ftp), cannot connect to YP NIS server running on internal network (192.168.0.11). ypbind requires portmapper (tcp/udp 111), ypbind itself uses randomly selected ports in range 600-900 (you can obtain them through "rpcinfo -p localhost"), I have opened ALL tcp/udp ports from loc to fw, however, ypbind client still cannot communicate with the server (even if I am explicitly specify NIS server IP). Any idea how to solve this problem? Thanks in advance for any suggestion(s) ********************************************* * Best Regards --- Andrei Verovski * * Personal Home Page * http://snow.prohosting.com/guru4mac/ * Mac, Linux, DTP, Development, IT WEB Site *********************************************
On Wednesday 28 January 2004 05:35 am, Andrei Verovski (aka MacGuru) wrote:> Hi, > > I am sorry to disturb you. I''ve got your e-mails from Shorewall mailing > list. > > I have problem - Linux pc (at 192.168.0.1 + external ip) which runs > 2-interface shorewall (along with mail/web/ftp), cannot connect to YP > NIS server running on internal network (192.168.0.11). > > ypbind requires portmapper (tcp/udp 111), ypbind itself uses randomly > selected ports in range 600-900 (you can obtain them through "rpcinfo > -p localhost"), > > I have opened ALL tcp/udp ports from loc to fw,I would have thought that you would have needed to open just UDP from fw->loc (not loc->fw).> however, ypbind client > still cannot communicate with the server (even if I am explicitly > specify NIS server IP). > > Any idea how to solve this problem? >Look at your log and see what''s being dropped/blocked and add a rule to allow it. Until the RPC connection tracking helper is available in standard kernels, you have to open a pretty big hole in your firewall to use any RPC-based application. In my own network, I have an ACCEPT policy for fw->loc. See also http://www.shorewall.net/port.htm under NFS for example of how large a hole is needed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, Thank everyone for reply. ypbind/rpc requires tcp/udp port 111, and 2 randomly selected tcp/udp ports in range 600-900 (you can obtain them through rpcinfo -p localhost"), Is it possible somwhow to instruct shorewall to check rpc ports and open only them, not the whole range? Or I have to write custom script? BTW, which loc -> fw ports are opened by default by shorewall? In default policy setting (2-interface sample) rule loc -> fw is not defined. Thanks On Jan 28, 2004, at 17:13, Tom Eastep wrote:> On Wednesday 28 January 2004 05:35 am, Andrei Verovski (aka MacGuru) > wrote: >> Hi, >> >> I am sorry to disturb you. I''ve got your e-mails from Shorewall >> mailing >> list. >> >> I have problem - Linux pc (at 192.168.0.1 + external ip) which runs >> 2-interface shorewall (along with mail/web/ftp), cannot connect to YP >> NIS server running on internal network (192.168.0.11). >> >> ypbind requires portmapper (tcp/udp 111), ypbind itself uses randomly >> selected ports in range 600-900 (you can obtain them through "rpcinfo >> -p localhost"), >> >> I have opened ALL tcp/udp ports from loc to fw, > > I would have thought that you would have needed to open just UDP from > fw->loc > (not loc->fw). > >> however, ypbind client >> still cannot communicate with the server (even if I am explicitly >> specify NIS server IP). >> >> Any idea how to solve this problem? >> > > Look at your log and see what''s being dropped/blocked and add a rule > to allow > it. Until the RPC connection tracking helper is available in standard > kernels, you have to open a pretty big hole in your firewall to use any > RPC-based application. In my own network, I have an ACCEPT policy for > fw->loc. See also http://www.shorewall.net/port.htm under NFS for > example of > how large a hole is needed. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > > >
On Thursday 29 January 2004 05:51 am, Andrei Verovski (aka MacGuru) wrote:> Hi, > > Thank everyone for reply. ypbind/rpc requires tcp/udp port 111, and 2 > randomly selected tcp/udp ports in range 600-900 (you can obtain them > through rpcinfo -p localhost"), > > Is it possible somwhow to instruct shorewall to check rpc ports and > open only them, not the whole range? Or I have to write custom script?You can open any ports that you choose.> > BTW, which loc -> fw ports are opened by default by shorewall? In > default policy setting (2-interface sample) rule loc -> fw is not > defined.Possibly you should review again the introductory information in the two-interface QuickStart guide ("Shorewall Concepts" section) so you could answer that question for yourself: a) There is no loc->fw, loc->all or all->loc policy so the all->all policy (REJECT) applies. b) The rules file contains: ACCEPT loc fw tcp 22 ACCEPT loc fw icmp 8 So the only traffic allowed by default from loc->fw is SSH and ping. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net