[3011] in linux-net channel archive
Re: ipfwadm
daemon@ATHENA.MIT.EDU (Michael Lausch)
Mon May 27 23:35:01 1996
To: Russell Berry <rberry@albany.net>
cc: linux-net@vger.rutgers.edu, jos@xos.nl, linux-kernel@vger.rutgers.edu
In-reply-to: Your message of "Fri, 24 May 1996 10:42:01 EDT."
<31A5CAB9.6C53F5D@albany.net>
Date: Sun, 26 May 1996 15:16:11 +0200
From: Michael Lausch <mla@gams.co.at>
> I have my linux box on a network of suns on eth0, I have a ppp
> connection to the internet. I configured output to default policy of
> accept, and input policy to deny. I set input to accept from the
> localnet/24 on eth0, this works fine, and to my_provider/24, and that
> works fine, as well as a couple of other machines out there I want to
> have access to my machine.
>
> Here's the problem, I set this:
>
> ipfwadm -I -a acc -b -W ppp0 -P tcp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80
> ipfwadm -I -a acc -b -W ppp0 -P udp -S 0.0.0.0/0 80 -D 0.0.0.0/0 80
You should set it to:
ipfwadm -I -a acc -b -W ppp0 -P tcp -S a.b.c.d/32 -D 0.0.0.0/0 80
where a.b.c.d is you IP address.
Because the port of the connecting machine is choosen randonmly (unless
selected by an explicit bind() call) you don't knowe the port number of
the source address. Obviously it can't be 80 if a HTTP server is running
on this machine too.
>
> now ipfwadm -I -l says:
> ...
> acc tcp anywhere anywhere www -> www
> acc udp anywhere anywhere www -> www
>
That's right. You allow connection fropm port 80 (source) to port (80)
destination. But not from an arbitrary port (source) to port
80(destination).
>
> And yet I can't get my browser to work, why??? A side note, I also
> tried accepting on port 53, just to check to see if it was a nameserver
> problem in netscape. Thanks in advance for you help.
>
>
> ---russ
>
---
finger mla@spirit.luga.or.at for PGP key
<http://spirit.luga.or.at/~mla>
