Hi i am currently running ipp2p on a debian sarge based system, am running shorewall and currently blocking everything then opening every thing up one by one, only problem is when using ipp2p match in /etc/shorewall/rules it connects to the server it just doesn''t download any files? When running emule for the test. /etc/shorewall/policy loc net REJECT net all DROP info all all REJECT /etc/shorewall/rules ACCEPT all all ipp2p:all kazaa edk Please help Kind Regards William ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
William Bohannan wrote:> only problem is when using ipp2p match in > /etc/shorewall/rules it connects to the server it just doesn’t download > any files? When running emule for the test…> > /etc/shorewall/policy > > loc net REJECT > net all DROP info > all all REJECT > > /etc/shorewall/rules > ACCEPT all all ipp2p:all kazaa edk >The ipp2p match module is completely useless for this type of usage since not all of the packets involved in a p2p exchange can be identified as such. In fact, I recommend avoiding ipp2p in /etc/shorewall/rules altogether.> > Please help >According to what I''ve found on the net, you need to forward TCP 4662 and UDP 4672 from the ''net'' to your local system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:>> /etc/shorewall/rules >> ACCEPT all all ipp2p:all kazaa edk >> > > The ipp2p match module is completely useless for this type of usage > since not all of the packets involved in a p2p exchange can be > identified as such. In fact, I recommend avoiding ipp2p in > /etc/shorewall/rules altogether. > >> Please help >> > > According to what I''ve found on the net, you need to forward TCP 4662 > and UDP 4672 from the ''net'' to your local system.Note that you can keep your ipp2p rule if you want to but I would only use it from loc->net and not all->all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks Tom, I am going to remove ipp2p match from shorewall as per your instructions then make a custom rule set including ipp2p. Also you wouldn''t happen to know how I can get a list of the rules shorewall makes for iptables? So I can see some of the rules in iptables format? Thanks again. Kind Regards William -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: 09 July 2006 15:03 To: Shorewall Users Subject: Re: [Shorewall-users] ipp2p default rule then allow downloading Tom Eastep wrote:>> /etc/shorewall/rules >> ACCEPT all all ipp2p:all kazaa edk >> > > The ipp2p match module is completely useless for this type of usage > since not all of the packets involved in a p2p exchange can be > identified as such. In fact, I recommend avoiding ipp2p in > /etc/shorewall/rules altogether. > >> Please help >> > > According to what I''ve found on the net, you need to forward TCP 4662 > and UDP 4672 from the ''net'' to your local system.Note that you can keep your ipp2p rule if you want to but I would only use it from loc->net and not all->all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
William Bohannan wrote:> Thanks Tom, > > I am going to remove ipp2p match from shorewall as per your instructions > then make a custom rule set including ipp2p. Also you wouldn''t happen to > know how I can get a list of the rules shorewall makes for iptables? So I > can see some of the rules in iptables format? Thanks again. >You can''t do that using Shorewall versions earlier than 3.2.0. 3.2.0 final will be released later this week unless last minute problems arise. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
[ Re-ordering the TOFU post for proper quoting levels. ] On Mon, 2006-07-10 at 12:13 +0000, William Bohannan wrote:> > Tom Eastep wrote:> > > The ipp2p match module is completely useless for this type of usage > > > since not all of the packets involved in a p2p exchange can be > > > identified as such. In fact, I recommend avoiding ipp2p in > > > /etc/shorewall/rules altogether.> I am going to remove ipp2p match from shorewall as per your instructions > then make a custom rule set including ipp2p.You mean like an Action, Macro or INCLUDE and still use PROTO ipp2p in those files? That won''t make any difference, and still is what Tom adviced against... Karsten -- [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" http://www.catb.org/~esr/faqs/smart-questions.html [SGT] Simon G. Tatham: "How to Report Bugs Effectively" http://www.chiark.greenend.org.uk/~sgtatham/bugs.html ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642