Shorewall users - Aug 2008 - Jabber XEP-0065 Proxy (does this rule make sense)?

I am running a jabber server on the same server as my shorewall/firewall.  I
also believe that I have a correctly configured a file transfer proxy (Proxy65)
that talks to my jabber server.  Currently the Proxy server only listens on port
7777 on the "loc" network interface of the firewall.

Would a DNAT rule make sense in this scenario (something like this)?

DNAT            inet                    fw:172.16.168.1        tcp     7777

Would that rule forward tcp/7777 traffic from the internet to the firewall
interface that is part of the "loc" zone?  If the last statement is
true, does this logic even make sense?

I am able to intiate a transfer from a machine in the "loc" zone, to a
jabber client machine connected to the jabber server via the internet and the
file transfer completes without errors.  If the client machine, (connected from
the internet) initiates the transfer, the transfer is unable to start.

There is nothing in the firewall logs that make it look like something is being
blocked.  It totally might be an issue on the client side, but as I
don''t have confidence in the above rule, I wanted a second opinion.

Thanks.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

I suspect your interface with address 172.16.168.1 is actually in the loc
zone.  It should work with loc:172.16.168.1.  
 
 

  _____  

From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Scott
Ruckh
Sent: Tuesday, August 12, 2008 2:22 AM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] Jabber XEP-0065 Proxy (does this rule make
sense)?


I am running a jabber server on the same server as my shorewall/firewall.  I
also believe that I have a correctly configured a file transfer proxy
(Proxy65) that talks to my jabber server.  Currently the Proxy server only
listens on port 7777 on the "loc" network interface of the firewall.
 
Would a DNAT rule make sense in this scenario (something like this)?
 
DNAT            inet                    fw:172.16.168.1        tcp     7777
 
Would that rule forward tcp/7777 traffic from the internet to the firewall
interface that is part of the "loc" zone?  If the last statement is
true,
does this logic even make sense?
 
I am able to intiate a transfer from a machine in the "loc" zone, to a
jabber client machine connected to the jabber server via the internet and
the file transfer completes without errors.  If the client machine,
(connected from the internet) initiates the transfer, the transfer is unable
to start.
 
There is nothing in the firewall logs that make it look like something is
being blocked.  It totally might be an issue on the client side, but as I
don''t have confidence in the above rule, I wanted a second opinion.
 
Thanks.


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Robert K Coffman Jr. -Info From Data Corp. wrote:
> I suspect your interface with address 172.16.168.1 is actually in the 
> loc zone.  It should work with loc:172.16.168.1. 
No -- Any ip address configured on any address on the firewall is part of 
the $FW zone.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Scott Ruckh wrote:
> I am running a jabber server on the same server as my 
> shorewall/firewall.  I also believe that I have a correctly configured a 
> file transfer proxy (Proxy65) that talks to my jabber server.  Currently 
> the Proxy server only listens on port 7777 on the "loc" network 
> interface of the firewall.
>  
> Would a DNAT rule make sense in this scenario (something like this)?
>  
> DNAT            inet                    fw:172.16.168.1        tcp     7777
>  
> Would that rule forward tcp/7777 traffic from the internet to the 
> firewall interface that is part of the "loc" zone?  If the last 
> statement is true, does this logic even make sense?

Hi,

Have I understood you correctly if I think that you want to be able to connect 
to Proxy65 (tcp 7777) from both the net and loc zones? If so, why don''t
you
configure Proxy65 to listen to 0.0.0.0:7777? That way you would only have to the
following rule instead and it would work from everywhere.

ACCEPT         all             fw             tcp     7777

Best regards,
/Martin Leben


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

> Scott Ruckh wrote:
>> I am running a jabber server on the same server as my
>> shorewall/firewall.  I also believe that I have a correctly configured
a
>> file transfer proxy (Proxy65) that talks to my jabber server. 
Currently
>> the Proxy server only listens on port 7777 on the "loc"
network
>> interface of the firewall.
>>
>> Would a DNAT rule make sense in this scenario (something like this)?
>>
>> DNAT            inet                    fw:172.16.168.1        tcp 
>> 7777
>>
>> Would that rule forward tcp/7777 traffic from the internet to the
>> firewall interface that is part of the "loc" zone?  If the
last
>> statement is true, does this logic even make sense?
>
>
> Hi,
>
> Have I understood you correctly if I think that you want to be able to 
> connect
> to Proxy65 (tcp 7777) from both the net and loc zones? If so, why
don''t
> you
> configure Proxy65 to listen to 0.0.0.0:7777? That way you would only have 
> to the
> following rule instead and it would work from everywhere.
>
> ACCEPT         all             fw             tcp     7777
>
Yes, that is the other half of the equation.  The documentation for Proxy65 
with jabberd2 is very limited.  The documentation makes it sound like I have 
to bind to a physical IP address and not an interface.  As I have a 
dynamically changing ethernet IP address, I did not want to use the internet 
IP address in the PROXY65 configuration.  As I am always certain of the IP 
address of the "loc" interface of the firewall I configured that IP
address
instead.  I do you like your suggestion, but I am not sure it is valid (as 
far as PROXY65 is concerned), but I will definitely try it out and do some 
testing. 


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/