Help with RH8.0 Firewall
 

hey all

Wondering if you could help me out.

I setup a Web box the other day to be able to remote login and FTP and Apache.


I setup RH the way I wanted with High Firewall settings, and let ports 21, 22, and 80 open.

But I need to open up more ports, but I can't seem to figure it out.



I can login to my box from my home LAN just fine, but outside my LAN I can't. No web and no SSH and no FTP.

I have let 80, 21, 22 pass throught my firewall and I even set it up in a DMZ Zone to make sure it wasn't my firewall but I still cannot connect.

Which leads me back to the firewall settings in RH.

Thanks and sorry for the long post

Hi,

Not entirely sure what additional ports you require either, but there is a comprehensive list of them at http://www.iss.net/security_center/a...xploits/Ports/

Hope that helps a little!

Richard

If you can log in/access from your LAN, it's unlikely that it is the host-based firewall that stops access from the WAN. Are you sure that traffic from outside actually reaches your server? You might want to describe your setup a bit more in detail, but as a test, run

tcpdump -i eth0

and then try accessing the machine from outside. See if you get any packets in the first place.

BTW, opening port 21 is not enough for ftp, but since this poses such a security risk anyway, you are better off using ssh and scp only if you can.

Hope it helps,

mlp

My setup.

Cable modem is hooked up to a Linksys 4 port cable/Dsl router.

Then branches off to a switch and up to my linux box.


On the Linux Box I have setup the Firewall on a High and Medium settings but it still didn't work.


BUT

From Inside my network I can http, ssh, and ftp to this box.

From Outside I cannot http, ssh, ftp or PING my own Cable modem.

So now I'm thinking its my ISP.

Thanks for the help.

That works for me with the linksys.

Go to your Linkys' admin page. Forget about DMZ games. Do not set a DMZ host.
Go to Advanced -> Forwarding.

Add "service port" =22 and the IP of your server. That will route incoming ssh traffic to your box. (I assume that your server has a static IP on your LAN, it must have one, can't forward to a DHCP address.) Then try ssh'ing in.

If your service contract forbids running a web server, your cable provider will most likely have blocked port 80 upstream. You will need to set up your server at a higher port (8080 or so). Don't tell them I said that.

Again, DO NOT open ftp to the WAN. Too risky. Use scp. If you do, tell me your IP, I could need another machine at my disposal :-)

Hope it helps,
mlp

Well thats the funny part

I have already done what you just said.

I have port 80 and 22 (for now) forwarded to my linux box.

and I don't have a DMZ setup. (i'm not stupid)


I'm one of the millions changing over from Attbi to ComCast and I think Comcast is to blame.


Reason I say that is I can;t even PING my own cable modem, and if I can't ping I can't do much else.

Well, they cannot block ALL ports...

Did you do the test shutting down the firewall and then try? With the tcpdump running?

If the only remaining explanation is your ISP, then find another high-numbered port, such as 13789, let the Linky forward it to your server, and start sshd on that port. Watch with tcpdump when you ssh in from the WAN.

Just for completeness, could you post you iptables config?

mlp

Sure I can, when I get home I'll post it.

Thanks for the help