I know this isnt a shorewall question per se. But i have not found a better resource for "generally net sawy" persons anywhere With my old firewall (RH6.1, 2.2.19) PMFirewall, tIRCproxy) it was all so easy, and DCC worked in both directions.=20 But on my new box (Debian 3.0, 2.4.18, Shorewall) i cant make it work for outgoing DCC. What should i do to keep stuff happy? I have set my girls mIRC up to use ports 1024-5000 for DCC, i have configured ez-bounce 1.0 to use 1024-5000for DCC, and i haver the following in my rules # #IRC ACCEPT loc $FW tcp 6667,6668,1024:5000 =20 ACCEPT $FW loc tcp 6667,6668,1024:5000 =20 ACCEPT $FW net tcp 6667,6668,1024:5000 didnt work, so i added=20 ACCEPT net $FW tcp 1024:5000 ACCEPT net loc tcp 1024:5000 still No go.=20 What is "the way to go"? Proxy/No proxy? Any special rules? Any pointers? Help! :)
Jan Johansson wrote:>I know this isnt a shorewall question per se. But i have not found a better resource for "generally net sawy" persons anywhere > >With my old firewall (RH6.1, 2.2.19) PMFirewall, tIRCproxy) it was all so easy, and DCC worked in both directions. > >But on my new box (Debian 3.0, 2.4.18, Shorewall) i cant make it work for outgoing DCC. What should i do to keep stuff happy? > >I have set my girls mIRC up to use ports 1024-5000 for DCC, i have configured ez-bounce 1.0 to use 1024-5000for DCC, and i haver the following in my rules > ># >#IRC >ACCEPT loc $FW tcp 6667,6668,1024:5000 >ACCEPT $FW loc tcp 6667,6668,1024:5000 >ACCEPT $FW net tcp 6667,6668,1024:5000 > >didnt work, so i added > >ACCEPT net $FW tcp 1024:5000 >ACCEPT net loc tcp 1024:5000 > >still No go. > >What is "the way to go"? Proxy/No proxy? Any special rules? Any pointers? Help! :) >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@shorewall.net >http://www.shorewall.net/mailman/listinfo/shorewall-users > >i had the same problem with mIRC. outgoing DCC connections refused to work. But I solved it right away. I tryed mIRC with everything but no luck and then I tried X-Chat (www.xchat.org). Don´t know why, but x-chat works for dcc just fine, and mIRC doesn´t. So now I use X-chat for windows instead of mIRC... You could give it a try ;) btw: i didn´t put any rules or whatesoever... the irc conntrack modules does it all. And I think this also happens with the connection sharing stuff witch comes in winXP I guess. Regards, Luis
On Tue, 21 May 2002, Jan Johansson wrote:> I know this isnt a shorewall question per se. But i have not found a better resource for "generally net sawy" persons anywhere > > With my old firewall (RH6.1, 2.2.19) PMFirewall, tIRCproxy) it was all so easy, and DCC worked in both directions. > > But on my new box (Debian 3.0, 2.4.18, Shorewall) i cant make it work for outgoing DCC. What should i do to keep stuff happy? > > I have set my girls mIRC up to use ports 1024-5000 for DCC, i have configured ez-bounce 1.0 to use 1024-5000for DCC, and i haver the following in my rules > > # > #IRC > ACCEPT loc $FW tcp 6667,6668,1024:5000 > ACCEPT $FW loc tcp 6667,6668,1024:5000 > ACCEPT $FW net tcp 6667,6668,1024:5000 > > didnt work, so i added > > ACCEPT net $FW tcp 1024:5000 > ACCEPT net loc tcp 1024:5000 > > still No go. >So did you add these rules because Shorewall was actually blocking something? As described in the Troubleshooting information on the Shorewall web site, you should disable log rate limiting before attempting to connect then look at the generated log messages to understand what rule(s) to add. Your last two rules in particular are a security disaster!> What is "the way to go"? Proxy/No proxy? Any special rules? Any pointers? Help! :)Proxy seems the best way to go currently according the the Netfilter mailing list (although some people are reporting outbound DCC success with the latest netfilter code). If you are using a proxy, you will want to NOT load the IRC nat and connection tracking modules -- modify your /etc/shorewall/modules file to not load those modules (and remove the modules from your running kernel using rmmod). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> So did you add these rules because Shorewall was actually blocking > something? As described in the Troubleshooting information on the > Shorewall web site, you should disable log rate limiting=20 > before attemptingaaah, forgot about the limiting, maybe thats what i am missing.>Your last two rules in particular are a=20 > security disaster!I know, which is why they were only used for the test in question.. a "Well, ill be )(#/)(=3D" if i try to do THIS it really (/"&/&"&/ should work".> If you are using a proxy, you=20 > will want to NOT > load the IRC nat and connection tracking modules -- modify your > /etc/shorewall/modules file to not load those modules (and remove the > modules from your running kernel using rmmod).*pounds head* THAT i did NOT do. Ill try after work today.
Zipleen wrote:> Jan Johansson wrote: > >> I know this isnt a shorewall question per se. But i have not found a >> better resource for "generally net sawy" persons anywhere >> >> With my old firewall (RH6.1, 2.2.19) PMFirewall, tIRCproxy) it was >> all so easy, and DCC worked in both directions. >> But on my new box (Debian 3.0, 2.4.18, Shorewall) i cant make it work >> for outgoing DCC. What should i do to keep stuff happy? >> >> I have set my girls mIRC up to use ports 1024-5000 for DCC, i have >> configured ez-bounce 1.0 to use 1024-5000for DCC, and i haver the >> following in my rules >> >> # >> #IRC >> ACCEPT loc $FW tcp 6667,6668,1024:5000 >> ACCEPT $FW loc tcp 6667,6668,1024:5000 >> ACCEPT $FW net tcp 6667,6668,1024:5000 >> >> didnt work, so i added >> ACCEPT net $FW tcp 1024:5000 >> ACCEPT net loc tcp 1024:5000 >> >> still No go. >> What is "the way to go"? Proxy/No proxy? Any special rules? Any >> pointers? Help! :) >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@shorewall.net >> http://www.shorewall.net/mailman/listinfo/shorewall-users >> >> > i had the same problem with mIRC. outgoing DCC connections refused to > work. But I solved it right away. I tryed mIRC with everything but no > luck and then I tried X-Chat (www.xchat.org). Don´t know why, but > x-chat works for dcc just fine, and mIRC doesn´t. So now I use X-chat > for windows instead of mIRC... You could give it a try ;) > btw: i didn´t put any rules or whatesoever... the irc conntrack > modules does it all. > And I think this also happens with the connection sharing stuff witch > comes in winXP I guess. > > Regards, > Luis > > >well, i finally got mIRC to work. don´t know if some of you are interested in this or not, but anyway : go to mirc options, and then to CONNECT | Local Info. I changed the lookup method to normal and cleread the ips in the two boxes above and checked the other two. Then, go to CONNECT | OPTIONS, click ADVANCED and then check Bind All sockets to this IP address: and the fill out the INTERNAL ip of your machine (mine is 192.168.0.2). That should do the trick. Regards, Luis