Hi all, I have i litte doubt... I blocked all access from the local zone to firewall. But i have a Squid proxy running in the same machine of firewall and webmin, than i have to accept access from local network to fw on tcp 3128. All the machines that uses my proxy can access webmin by http://machine:10000. That is because the firewall machine is resolving the request, ok?. How to block it? (policy:) fw net ACCEPT fw loc ACCEPT net all DROP info all all REJECT info (rules:) ACCEPT loc fw tcp 3128 _______________________________________________________________________ Desafio AntiZona: participe do jogo de perguntas e respostas que vai dar um Renault Clio, computadores, c?meras digitais, videogames e muito mais! www.cade.com.br/antizona
On Tue, 2003-08-26 at 15:03, Eurico Vaz Junior wrote:> Hi all, > > I have i litte doubt... I blocked all access from the > local zone to firewall. But i have a Squid proxy > running in the same machine of firewall and webmin, > than i have to accept access from local network to fw > on tcp 3128. > All the machines that uses my proxy can access webmin > by http://machine:10000. That is because the firewall > machine is resolving the request, ok?. > > How to block it? >Stop all of the browsers that have webmin on port 10000 open. Now restart them and see you you can still connect to Webmin. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On 26/08/2003 3:06 PM -0700, Tom Eastep wrote:> Stop all of the browsers that have webmin on port 10000 open. Now > restart them and see you you can still connect to Webmin.Taking a guess here but what he might be saying is that because they have their proxy set to the firewall, when they try and access http://machine:10000 it goes through the proxy and therefore works. If this is the case, then he''ll have to block port 10000 in his proxy server configuration. Best regards, Gonzalo
On Tue, 2003-08-26 at 15:18, Gonzalo Servat wrote:> On 26/08/2003 3:06 PM -0700, Tom Eastep wrote: > > > Stop all of the browsers that have webmin on port 10000 open. Now > > restart them and see you you can still connect to Webmin. > > Taking a guess here but what he might be saying is that because they have > their proxy set to the firewall, when they try and access > http://machine:10000 it goes through the proxy and therefore works. > If this is the case, then he''ll have to block port 10000 in his proxy > server configuration.Good point. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I think that this is the problem... my firewall machine is a proxy too. Then all requests from local zone go trough the proxy, and the proxy can access the port 10000. Can i block this by some rule or only in the proxy (Squid) configuration? --- Gonzalo Servat <gs@webtastic.com.au> escreveu: > On 26/08/2003 3:06 PM -0700, Tom Eastep wrote:> > > Stop all of the browsers that have webmin on port > 10000 open. Now > > restart them and see you you can still connect to > Webmin. > > Taking a guess here but what he might be saying is > that because they have > their proxy set to the firewall, when they try and > access > http://machine:10000 it goes through the proxy and > therefore works. > If this is the case, then he''ll have to block port > 10000 in his proxy > server configuration. > > Best regards, > Gonzalo > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________________________________ Desafio AntiZona: participe do jogo de perguntas e respostas que vai dar um Renault Clio, computadores, c?meras digitais, videogames e muito mais! www.cade.com.br/antizona
On 26/08/2003 7:38 PM -0300, Eurico Vaz Junior wrote:> I think that this is the problem... my firewall > machine is a proxy too. Then all requests from local > zone go trough the proxy, and the proxy can access the > port 10000. > Can i block this by some rule or only in the proxy > (Squid) configuration?Well, Shorewall uses iptables which uses netfilter which is a stateful packet filtering firewall so it doesn''t look into the upper layers where this sort of information would be kept. You would have to tell Squid to block it. Albeit OT, you just change the ACLs in squid.conf. By default it allows ports 80,21,443,563,etc,etc and 1025-65535 where port "10000" would fall into. You can either explicitly deny access to this port, or exclude port 10000 from this default range. Good luck. Best regards, Gonzalo
On Tue, 2003-08-26 at 18:51, Gonzalo Servat wrote:> Albeit OT, you just change the ACLs in squid.conf. By default it allows > ports 80,21,443,563,etc,etc and 1025-65535 where port "10000" would fall > into. You can either explicitly deny access to this port, or exclude port > 10000 from this default range.lol, Webmin is a good tool to do this with ;-) -- Paul Slinski <pauls@globaliqx.com> Global IQX, Inc.