--=_6F3311F0.2A4B3FCD Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi all, =20 I must be losing it. Following RTFM I am a bit confused when trying to figure out how to make the entry in the rules file to allow pc anywhere from a specific external address (net 64.x.x.x) to my pc inside my local network. =20 I run a cable modem with a dhcp address. =20 I think that this will work but I do not want to try it until I confirm the lines as my firewall is working great. I am wondering if I need to put the port in the source or dest entries or what I have is fine. =20 accept net:64.x.x.x loc:192.x.x.x tcp 5631 accept net:64.x.x.x loc:192.x.x.x udp 5632 =20 64.x.x.x is the address of the external box. 192.x.x.x is the address of the box on the internal lan. =20 Am I on the right track? =20 Thanks, =20 Craig --=_6F3311F0.2A4B3FCD Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Description: HTML <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR></HEAD> <BODY style=3D"MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=3D2>Hi all,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>I must be losing it. Following RTFM I am a bit confused=20 when trying to figure out how to make the entry in the rules file to allow=20 pc anywhere from a specific external address (net 64.x.x.x) to my pc inside my=20 local network.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>I run a cable modem with a dhcp address.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>I think that this will work but I do not want to try it until=20 I confirm the lines as my firewall is working great.</FONT></DIV> <DIV><FONT size=3D2>I am wondering if I need to put the port in the source or dest=20 entries or what I have is fine.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>accept net:64.x.x.x =20 loc:192.x.x.x tcp 5631</FONT></DIV> <DIV><FONT size=3D2>accept net:64.x.x.x =20 loc:192.x.x.x udp 5632</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>64.x.x.x is the address of the external box.</FONT></DIV> <DIV><FONT size=3D2>192.x.x.x is the address of the box on the internal=20 lan.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Am I on the right track?</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Thanks,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Craig</FONT></DIV></BODY></HTML> --=_6F3311F0.2A4B3FCD--
On Mon, 5 Aug 2002, Craig Sharp wrote:> Hi all, > > I must be losing it. Following RTFM I am a bit confused when trying to figure out how to make the entry in the rules file to allow pc anywhere from a specific external address (net 64.x.x.x) to my pc inside my local network. > > I run a cable modem with a dhcp address. > > I think that this will work but I do not want to try it until I confirm the lines as my firewall is working great. > I am wondering if I need to put the port in the source or dest entries or what I have is fine. > > accept net:64.x.x.x loc:192.x.x.x tcp 5631 > accept net:64.x.x.x loc:192.x.x.x udp 5632 > > 64.x.x.x is the address of the external box. > 192.x.x.x is the address of the box on the internal lan. > > Am I on the right track? >Somewhat -- you need a DNAT rule rather than an ACCEPT rules and the ACTION column must always be in upper case: DNAT net:64.x.x.x loc:192.x.x.x tcp 5631 DNAT net:64.x.x.x loc:192.x.x.x udp 5632 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom, Thanks for the speedy reply. I will try the entries. One other question on this subject. If I am scanned or probed, will these ports be seen as open or are they stealth to anything except the specified external address? Thanks, Craig -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, August 05, 2002 10:16 AM To: Craig Sharp Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] PC Anywhere rules? On Mon, 5 Aug 2002, Craig Sharp wrote:> Hi all, > > I must be losing it. Following RTFM I am a bit confused when trying tofigure out how to make the entry in the rules file to allow pc anywhere from a specific external address (net 64.x.x.x) to my pc inside my local network.> > I run a cable modem with a dhcp address. > > I think that this will work but I do not want to try it until I confirmthe lines as my firewall is working great.> I am wondering if I need to put the port in the source or dest entries orwhat I have is fine.> > accept net:64.x.x.x loc:192.x.x.x tcp 5631 > accept net:64.x.x.x loc:192.x.x.x udp 5632 > > 64.x.x.x is the address of the external box. > 192.x.x.x is the address of the box on the internal lan. > > Am I on the right track? >Somewhat -- you need a DNAT rule rather than an ACCEPT rules and the ACTION column must always be in upper case: DNAT net:64.x.x.x loc:192.x.x.x tcp 5631 DNAT net:64.x.x.x loc:192.x.x.x udp 5632 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/02 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.381 / Virus Database: 214 - Release Date: 8/2/02
On Mon, 5 Aug 2002, Craig A. Sharp wrote:> Tom, > > Thanks for the speedy reply. I will try the entries. One other question on > this subject. If I am scanned or probed, will these ports be seen as open > or are they stealth to anything except the specified external address? >The latter... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net