From: Greg Stewart (stewartg@ifrance.com)
Date: Mon May 21 2001 - 20:04:24 PDT
Do you have Masquerading setup and working? If so, ssh should be working on
the inside network without a problem.
Your ssh rule has a conflict with your networks: 192.168.x.x is already
blocked by the script's standard rules, and is not even a valid $OUTERNET
address. Typically OUTERNET & REMOTENET can be considered either 0.0.0.0/0
or your ISP's network (where your external address exists). The following is
how your external rule should look to allow shh connections:
$IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTERNET 22 -j ACCEPT
Samba (port 137) should be blocked the outside world entirely with a similar
DENY rule.
Somewhere in your masq'ing ruleset must be where the block on your
$INTERNALNET addresses. When masquerading is configured correctly,
pmfirewall.conf should assign the interal IP to its local variables, and
pmfirewall.rules.masq will use these to set up your rules to accept internal
traffic.
Are there other services/connections that are not working when you activate
the firewall rules?
--Greg
----- Original Message -----
From: "Subzero" <subzero123_80@yahoo.com>
>
> I am trying to allow access to ssh and samba inside the network. I
want
> to block the external net from getting in. I may want to allow ssh to
> anybody but I am not sure. Here is my line from rules.local.. Another
> question what is this line doing $IPCHAINS -A output -p tcp -d 0/0 22 -t
> 0x01 0x10 telnet. Thanks for the help..
> #SSH
> $IPCHAINS -A input -p tcp -s 192.168.1.2 -d $OUTERNET 22 -j ACCEPT
> #NETBIOS
> $IPCHAINS -A input -p tcp -s 192.168.1.0/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
> $IPCHAINS -A input -p udp -s 192.168.1.0/24 -d $REMOTENET 137:139 -i
> $OUTERIF -j ACCEPT
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
****************************************************************************
> * To UNSUBSCRIBE from the list, send a message with "unsubscribe
pmfirewall"
> * in the message body to majordomo@pointman.org. Please direct other
> * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:41:38 PDT