Dave Bush
2003-May-10 11:50 UTC
[Shorewall-users] Configuring shorewall to allow and internal NIS+ domain
Hi Folks,
This may be a completely dumb newbie question, but I recently
upgraded my server from Red Hat 7.2 to Mandrake 9.1 and as part of this
I switched from Firestarter to Shorewall for my firewall. I''m
experiencing some problems with getting Shorewall and NIS+ working.
Here''s my /etc/shorewall/rules file:
ACCEPT net fw udp 53 -
ACCEPT net fw tcp 80,443,53,22,20,21,4500,10000 -
ACCEPT loc fw udp 53 -
ACCEPT loc fw tcp 80,443,53,22,20,21,4500,10000 -
ACCEPT loc fw tcp
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -
ACCEPT loc fw udp
domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp -
ACCEPT fw loc tcp 631,515,137,138,139 -
ACCEPT fw loc udp 631,515,137,138,139 -
#these rules are for accepting samba requests
ACCEPT fw loc udp 137:139 -
ACCEPT fw loc tcp 137,139 -
ACCEPT fw loc udp 1024: 137 -
ACCEPT loc fw udp 137:139 -
ACCEPT loc fw tcp 137,139 -
ACCEPT loc fw udp 1024: 137 -
#Dave''s guess at setting up NFS
ACCEPT fw loc udp 111 -
ACCEPT fw loc tcp 111 -
ACCEPT fw loc udp 2049 -
ACCEPT fw loc tcp 2049 -
ACCEPT fw loc udp 4000:4003 -
ACCEPT fw loc tcp 4000:4003 -
ACCEPT loc fw udp 111 -
ACCEPT loc fw tcp 111 -
ACCEPT loc fw udp 2049 -
ACCEPT loc fw tcp 2049 -
ACCEPT loc fw udp 4000:4003 -
ACCEPT loc fw tcp 4000:4003
# Let''s see if I can make NIS+ work
ACCEPT fw loc tcp 668:1024
ACCEPT fw loc udp 668:1024
ACCEPT loc fw tcp 668:1024
ACCEPT loc fw udp 668:1024
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
I''m pretty sure my NIS+ server is working properly. I''m
able to see
the domain and bind to it on a client computer. The problem comes when a
user on the client computer tries to authenticate to the NIS+ server.
Here''s an example of what I see in my /var/log/messages:
May 10 13:46:07 bob kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:10:4b:2f:c1:86:00:40:ca:50:97:50:08:00 SRC=192.168.1.3
DST=192.168.1.1 LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=797 DPT=32773 LEN=228
May 10 13:46:07 bob kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:10:4b:2f:c1:86:00:40:ca:50:97:50:08:00 SRC=192.168.1.3
DST=192.168.1.1 LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP
SPT=797 DPT=32773 LEN=228
What am I doing wrong here folks? I attribute all of this to the
fact that I''m a Shorewall newbie, so any help would be greatly
appreciated.
Thanks,
- Dave
ian@the-laws-clan.de
2003-May-10 17:28 UTC
[Shorewall-users] Configuring shorewall to allow and internal NIS+ domain
Dave Bush <statman@twcny.rr.com> schrieb am 10.05.2003, 20:49:32:> Hi Folks, > This may be a completely dumb newbie question, but I recently > upgraded my server from Red Hat 7.2 to Mandrake 9.1 and as part of this > I switched from Firestarter to Shorewall for my firewall. I''m > experiencing some problems with getting Shorewall and NIS+ working. > > Here''s my /etc/shorewall/rules file: > > ACCEPT net fw udp 53 - > ACCEPT net fw tcp 80,443,53,22,20,21,4500,10000 -Are you running a DNS, Web/SSL and FTP server for the Internet?> ACCEPT loc fw udp 53 - > ACCEPT loc fw tcp 80,443,53,22,20,21,4500,10000 - > ACCEPT loc fw tcp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT loc fw udp > domain,bootps,http,https,631,imap,pop3,smtp,nntp,ntp - > ACCEPT fw loc tcp 631,515,137,138,139 - > ACCEPT fw loc udp 631,515,137,138,139 - > #these rules are for accepting samba requests > ACCEPT fw loc udp 137:139 - > ACCEPT fw loc tcp 137,139 - > ACCEPT fw loc udp 1024: 137 - > ACCEPT loc fw udp 137:139 - > ACCEPT loc fw tcp 137,139 - > ACCEPT loc fw udp 1024: 137 ?Samba on a Firewall is not normally a good idea. :-( But NFS on the firewall, not really good. ;-( especially since you are allowing FTP/web acces to this computer from the Internet.> #Dave''s guess at setting up NFS > ACCEPT fw loc udp 111 - > ACCEPT fw loc tcp 111 - > ACCEPT fw loc udp 2049 - > ACCEPT fw loc tcp 2049 - > ACCEPT fw loc udp 4000:4003 - > ACCEPT fw loc tcp 4000:4003 - > ACCEPT loc fw udp 111 - > ACCEPT loc fw tcp 111 - > ACCEPT loc fw udp 2049 - > ACCEPT loc fw tcp 2049 - > ACCEPT loc fw udp 4000:4003 - > ACCEPT loc fw tcp 4000:4003 > # Let''s see if I can make NIS+ work > ACCEPT fw loc tcp 668:1024 > ACCEPT fw loc udp 668:1024 > ACCEPT loc fw tcp 668:1024 > ACCEPT loc fw udp 668:1024 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I would close all these ports except 111 to the local net and then open the ports one by one as your try to authenticate. I see to many ports open here. ? Why icq for NFS><snip> > What am I doing wrong here folks? I attribute all of this to the > fact that I''m a Shorewall newbie, so any help would be greatly appreciated. > > Thanks, > - Dave > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Dave Bush
2003-May-10 17:50 UTC
[Shorewall-users] Configuring shorewall to allow and internal NIS+ domain
ian@the-laws-clan.de wrote:>>ACCEPT net fw udp 53 - >>ACCEPT net fw tcp 80,443,53,22,20,21,4500,10000 - >> >> > >Are you running a DNS, Web/SSL and FTP server for the Internet? >Yes. Four domains are hosted on this box. It''s a combination home file & print server, web server, and ftp server. The web will remain on there regardless - the ftp might go alway in lieu of sftp over ssh.>Samba on a Firewall is not normally a good idea. :-( >But NFS on the firewall, not really good. ;-( especially since you are >allowing FTP/web acces to this computer from the Internet. >Being a home system I''m really not worried about it provided that the firewall is working properly. I know - recipe for disaster, but the most important thing on the system is my pictures and documents and they''re backed up to CDR on a regular basis. If the MP3''s disappeared it''d be an inconvenience, not the end of the world.>>#Dave''s guess at setting up NFS >>ACCEPT fw loc udp 111 - >>ACCEPT fw loc tcp 111 - >>ACCEPT fw loc udp 2049 - >>ACCEPT fw loc tcp 2049 - >>ACCEPT fw loc udp 4000:4003 - >>ACCEPT fw loc tcp 4000:4003 - >>ACCEPT loc fw udp 111 - >>ACCEPT loc fw tcp 111 - >>ACCEPT loc fw udp 2049 - >>ACCEPT loc fw tcp 2049 - >>ACCEPT loc fw udp 4000:4003 - >>ACCEPT loc fw tcp 4000:4003 >># Let''s see if I can make NIS+ work >>ACCEPT fw loc tcp 668:1024 >>ACCEPT fw loc udp 668:1024 >>ACCEPT loc fw tcp 668:1024 >>ACCEPT loc fw udp 668:1024 >> >> >I would close all these ports except 111 to the local net and then open >the ports one by one as your try to authenticate. I see to many ports >open here. ? Why icq for NFS >The open ports for the NFS shares are open because the ports were locked down to those specific ports. (See http://www.lowth.com/LinWiz/nfs_help.html for an article entitled Configuring NFS under Linux for IPTABLES control) Likewise when I looked up what ports NIS+ uses I was told that it used 668 - 1024, so that''s why I opened those. Like I said - it looks like everything is almost working. If it makes it easier - how do I tell Shorewall that all traffic on eth1 is allowed to all other hosts on the subnet 192.168.1.0/24? Thanks, - Dave