All, I''ve just recently gotten around to getting shorewall configured on my firewall box - and damn fine it is too - many thanks to Tom for coming up with a logical and intuitive way of configuring firewalling ... But I digress; I''m able to successfully receive incoming connections on _some_ ports, such as port 25, but not on others, expecially port 80, which is proving a bit of a hurdle where hosting a web site is concerned. I adopted by shorewall configuration from the sample "two interface" scripts and thus far have only modified the contents of /etc/shorewall/params. The firewall box is dual NIC''d, the external NIC is DHCP controlled and the internal NIC is 192.168.1.200. I''m only forwarding to a single host (192.168.1.1) for SMTP, HTTP and SSH services (I haven''t tested inbound SSH connections yet so I can''t vouch for their validity). I can''t seem to access my web server on port 80 from internally, via my external IP or externally, say from work; only via the internal interface. Am I missing something (likely) or has my cable ISP been sneaky and blocked port 80? All the best Gary -- Gary Gale / Vicchi.Org gary at vicchi dot org "There are two major products that come out of Berkeley; LSD and UNIX. We don''t believe this to be a coincidence." "The box said ''requires Windows 98 or better'' so I installed Linux."
Gary Gale
2002-Mar-11 19:09 UTC
[Shorewall-users] Firewall and Port Forward Clash? (take 2)
Damn - first post to the list and still he gets it wrong ... Of course, it does _help_ if you get around to including the contents of /etc/shorewall/params (less comments) before hitting send ... NET_IF=eth1 NET_BCAST=detect NET_OPTIONS=dhcp,noping,norfc1918 LOCAL_IF=eth0 LOCAL_BCAST=detect LOCAL_OPTIONS=routestopped LOCAL_NET=192.168.1.0/24 FW_TCP_OUT_PORTS=22,25,53,68,80,8080,109,110,1227 FW_UDP_OUT_PORTS=53,68,1227 LOC_TCP_PORTS1=22,25,80,109,110 LOC_UDP_PORTS1=22,25,80,109,110 SERVER1=192.168.1.1 LOC_TCP_PORTS2=none LOC_UDP_PORTS2=none SERVER2=none FW_TCP_IN_PORTS=none FW_UDP_IN_PORTS=none LOC_FW_TCP_PORTS=22,25,80 LOC_FW_UDP_PORTS=none Gary On Monday 11 March 2002 7:02 pm, Gary Gale wrote:> All, > > I''ve just recently gotten around to getting shorewall configured on my > firewall box - and damn fine it is too - many thanks to Tom for coming up > with a logical and intuitive way of configuring firewalling ... > > But I digress; I''m able to successfully receive incoming connections on > _some_ ports, such as port 25, but not on others, expecially port 80, which > is proving a bit of a hurdle where hosting a web site is concerned. > > I adopted by shorewall configuration from the sample "two interface" > scripts and thus far have only modified the contents of > /etc/shorewall/params. > > The firewall box is dual NIC''d, the external NIC is DHCP controlled and the > internal NIC is 192.168.1.200. I''m only forwarding to a single host > (192.168.1.1) for SMTP, HTTP and SSH services (I haven''t tested inbound SSH > connections yet so I can''t vouch for their validity). > > I can''t seem to access my web server on port 80 from internally, via my > external IP or externally, say from work; only via the internal interface. > > Am I missing something (likely) or has my cable ISP been sneaky and blocked > port 80? > > All the best > > Gary-- Gary Gale / Vicchi.Org gary at vicchi dot org "There are two major products that come out of Berkeley; LSD and UNIX. We don''t believe this to be a coincidence." "The box said ''requires Windows 98 or better'' so I installed Linux."
Tom Eastep
2002-Mar-11 19:52 UTC
[Shorewall-users] Firewall and Port Forward Clash? (take 2)
Gary, ----- Original Message ----- From: "Gary Gale" <gary@vicchi.org> To: "Shorewall Users List" <shorewall-users@shorewall.net> Sent: Monday, March 11, 2002 11:09 AM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash? (take 2)> > > NET_IF=eth1 > NET_BCAST=detect > NET_OPTIONS=dhcp,noping,norfc1918 > LOCAL_IF=eth0 > LOCAL_BCAST=detect > LOCAL_OPTIONS=routestopped > LOCAL_NET=192.168.1.0/24 > FW_TCP_OUT_PORTS=22,25,53,68,80,8080,109,110,1227 > FW_UDP_OUT_PORTS=53,68,1227 > LOC_TCP_PORTS1=22,25,80,109,110 > LOC_UDP_PORTS1=22,25,80,109,110UDP Ports 22,25,80, 109 and 110 aren''t used.> SERVER1=192.168.1.1 > LOC_TCP_PORTS2=none > LOC_UDP_PORTS2=none > SERVER2=none > FW_TCP_IN_PORTS=none > FW_UDP_IN_PORTS=none > LOC_FW_TCP_PORTS=22,25,80 > LOC_FW_UDP_PORTS=none >-Tom
Does your contract with your ISP allow you more that one IP address? If so, place a hub between your cable modem and your firewall and add a second PC to the hub. You can then see if that PC can connect to port 80 - if so, and if people outside your ISP cannot connect then the chances are excellent that your ISP is blocking port 80. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ----- Original Message ----- From: "Gary Gale" <gary@vicchi.org> To: "Tom Eastep" <teastep@shorewall.net> Sent: Monday, March 11, 2002 12:08 PM Subject: Re: [Shorewall-users] Firewall and Port Forward Clash?> Tom, > > thanks for the prompt response ... > > > > > The part about not being able to access your server internally via the > > external address is FAQ #2 - http://www.shorewall.net/FAQ.htm#faq2. > > I did see this when I was trying to RTFM but apparently it didn''t make the > right connections in the old brain cells so I totally misinterpreted it - > I''ve since re-read this and now I see what you''re getting at. > > > I suspect that your ISP is blocking inbound port 80 so you may have touse> > another port and forward that port to port 80. > > > > The strange thing is that I can''t find any reference to port blockingtactics> by my ISP on the official or unofficial FAQs. I''ll try and get a colleagueto> probe my firewall from his ISP and see what he comes up with. IfBlueYonder> _are_ blocking port 80 then I''ll try 8080 before going into real > "non-standard" territory. > > Thanks also for the comments about the redundant UDP ports - I should have > known better but I guess I was fried from too much caffeine when Imodified> /etc/shorewall/params that time! > > Finally, shorewall''s really impressed me - whilst my firewalling knowledgeis> not so good (but you guessed that) I''m learning all the time here; you''ve > done a great job on this; so I guess I''d just like to say "thanks". > > Gary > > -- > > Gary Gale / Vicchi.Org gary at vicchi dot org > > "There are two major products that come out of Berkeley; LSD > and UNIX. We don''t believe this to be a coincidence." > > "The box said ''requires Windows 98 or better'' so I installed Linux." >