similar to: Shorewall suggestion - "services"

I have had a web server listining sql-1433, www 80, ftp-21 using proxy arp with sub-netting in a three interface DMZ. All these ports are in the rules file as ACCEPT. With one exeception that 1433 allows a few host from the net. 21 and 80 allow all net to dmz connections. The policy is DMZ to net ACCEPT This has been working great for about a month or more until I rebooted the

I apologize for the first message. :) --------------------------------------- I have an FTP server running in the DMZ section of my home network. It uses port 23000 for connection and ports 19990 to 19994 for data transfer. I have setup the following rule for outside people to connect to it: DNAT net dmz:192.168.2.2 tcp 23000 I''m at work right now and I can''t use

I am trying to get the AllowFTP action to work for Net > DMZ traffic and FTP pasv. I know it is kind of working, as the user can log in, however, it fails at the port. I have had to open up some high ports for pasv to work. Now I know this aint cool, so does anyone know what a person has to do to get the AllowFTP action to work the same way it does if I was just ftp to the firewall, which does

Hello , Regarding a previous post in this group. (see below) Does anyone know how I can change the options for ipnat_ftp or ip_conntrack_ftp when I don''t load them as modules but have them compiled in the kernel? I''ve been looking on google since long now, but can''t seem to find it. Any idea, anyone? I have added these ''options'' and did a network

Hello everyone, I run a Pure-FTP server on my DMZ. I can specify with Pure-ftp what ports will be used for clients when they connect with passive mode. I entered 50000 50400, so I have enough for 200 users at the same time. Then the pure-ftp website tells me to open up those ports on the firewall. How do I do this? In my rules file is now something like: ACCEPT net dmz:10.0.0.2 tcp

Hi, ok Im all new to this :-) for pasv ftp in your example you say for example to use ports 65500-65535, but i dont see that u open those ports in your example fw scripts..? any hints ? -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Who is General Failure ? And why is he reading my disk

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer

----------------------------------------------------------------------------- Shorewall 1.2.12 # uname -a Linux yoreach 2.4.18 #1 Sun Apr 21 12:50:34 CEST 2002 i686 unknown # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500

Hi all, I have seen Shorewall places the state verification rules (-m state --state ESTABLISHED,RELATED) as the first rule in a zone2zone chain. This means that state checking is done after all the rules involving from this zone to this zone. As you could have a lot of them, wont be better to place them just after checking the state is not invalid? This will mean a lot of packages will be

-- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

For some reason, ip_conntrack_ftp & ip_nat_ftp aren''t loading automatically. If I load them manually with modprobe FTP works. Both ip_conntrack_ftp & ip_nat_ftp are listed in the modules file - I haven''t mucked with the order at all, so I assume it''s right. I''m using Mandrake 9.2 but, as recommended, I uninstalled the Mandrake version of shorewall and

Hi, Thanks for your reply . I am attaching the files needed by you herewith. The NAT device is called Pronto gateway which has two interfaces , namely eth0 and eth1. ''eth0'' has an ip address of 203.124.152.66 and eth1 has an ip address of 192.168.1.3 . All the client PCs are in 192.168.1.0 network [behind the NAT, the Pronto gateway] and use 192.168.1.3 as the default

Hi! I use standard Bering 2.2.2. I am trying to get my FTP-server to work with another portnumber than 21 (On port 21 all works great, but I´m really interested in running two FTP-servers, so I want to figure this one out first). Read the FAQ: http://www.shorewall.net/FTP.html and now I got this setup: In Rules: DNAT net loc:192.168.3.2 tcp 99 In Shorewalls modules.conf (tried

Still not working I really have to change 21 port on 80 port, my friend has only www and mail on his netwok. He has rigorous admin. I have done : !! in proftpd.cof : # Port 21 is the standard FTP port. Port 80 !! in /etc/shorewall/modules: loadmodule ip_conntrack_ftp ports=21,80 loadmodule ip_nat_ftp ports=21,80 AFTER THAT AND RESTARTTING PROFTP AND

I have edited modules and edited the ip_conntrack_ftp line to loadmodule ip_conntrack_ftp ports=3D21,62121 since i have a zope ftp instance on 62121, but i am still having some = problems that looks like they are NAT related, can i somehow see that = the conntrack module is infact handling 62121 for FTP?

Hi, I''m using the same set of firewall rules of 2.0.x (sorry, I can''t remember the exact minor version) and put it to work with 2.0.9. And now I can''t do passive ftp (was working before). I see that my NEWNOTSYN is set to Yes, and the loc->net rule is blocking 1024:65535. But I believe with the ip_conntrack_ftp, the passive mode would be allowed, since

I have the problem when my localnetwork do telnet to the net Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth2 my files are the following: policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net CONTINUE info loc fw ACCEPT info loc loc ACCEPT loc dmz ACCEPT info fw

I''m very new to shorewall. My setup is IP Gateway (CentOS 4 + Shorewall) with 3 NIC cards. Shorewall works great on the firewall machine. Bind also works (local net machines get IPs fine). Under firestarter, all works great. With shorewall, the loc machines can not route past the firewall. They can connect to the firewall, but not past it. Exactly what information should I post to get

On the firewall, what is the rationale for giving eth1 an IP address that is also assigned eto eth0? (Rather than a private one.) -- Taso Hatzi caesar 17 <<-salad cjbx jc vdwwjar jc xi jc jd salad

Hi! Can I use the old version shorewall 1.2.12 configure as SNAT and DMZ ? Because Debian Linux came with the default shorewall 1.2.12 . Best Regards, Support