Shorewall prevents LISa from working (lan:// in Konqueror)

DaneM · 01-11-2006, 11:29 PM

Hello, all!

I've been bugging the people on the Shorewall mailing list about this, and they don't seem to have any solution, so I figure I'll give the fine people at LQ a shot at it.

Basically, whenever I turn shorewall on ("shorewall start"), I get this error in Konqueror when I go to the LAN Browser:

Code:

The Lisa daemon does not appear to be running.
In order to use the LAN Browser the Lisa daemon must be installed and activated by the system administrator.

...but when I disable shorewall ("shorewall clear"), it works. I've checked, and the LISa daemon IS running while shorewall is up.

Here are my shorewall policies:

Code:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
fw              all             ACCEPT
fw              fw              ACCEPT
all             all             REJECT

Here are my shorewall rules:

Code:

#ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
#                                               PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
SMB/ACCEPT      loc     fw
Ping/ACCEPT     loc     fw
ACCEPT          loc     fw      tcp     7741

I am using shorewall 3.0.2 on Gentoo current, with kernel 2.6.14-gentoo-r5.

I will greatly appreciate any help you can give me!

Thanks.

--Dane

celejar · 01-13-2006, 08:42 AM

What happens if you try to talk to the LISa Daemon (with shorewall up) via some other program, eg. netcat, and what response do you get from nmap (closed / filtered)?

DaneM · 01-13-2006, 02:31 PM

Thanks for the reply, celegar!

Here's the output of nmap:

Code:

</bin>
[dane@Orchestrator bin]$ nmap 192.168.1.250 -p 7741

Starting nmap 3.83.DC13 ( http://www.insecure.org/nmap/ ) at 2006-01-13 12:24 PST
Interesting ports on Orchestrator.The.Band (192.168.1.250):
PORT     STATE SERVICE
7741/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.117 seconds
</bin>
[dane@Orchestrator bin]$ nmap 127.0.0.1 -p 7741

Starting nmap 3.83.DC13 ( http://www.insecure.org/nmap/ ) at 2006-01-13 12:25 PST
Interesting ports on localhost (127.0.0.1):
PORT     STATE SERVICE
7741/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.104 seconds

I'm completely unfamiliar with netcat. I just downloaded it from portage, but I have no idea how to make it do anything with LISa. Can you give me some instructions?

Thanks!

--Dane

celejar · 01-13-2006, 02:44 PM

If nmap reports that the port is open, then shorewall isn't blocking traffic headed that way. You can even try nmap with the -sV option to find out what nmap thinks is running on that port.
Netcat is a general tool to open nework connections, send arbitrary data across the connection, and then report back the output ('net'work + 'cat'). Try it with a web server, for example (press enter one or more times upon opening the connection), and you'll just get an error from the server since you haven't sent a valid HTTP request. I was just suggesting you try talking to LISa and seeing if it returns data in order to determine if shorewall is really blocking traffic, which it apparently isn't.

DaneM · 01-13-2006, 04:35 PM

That makes sense. The only reason I thought that shorewall might be blocking lisa traffic is because when I use "sharewall clear" it works again.

Thanks for your suggestions; I submitted the fingerprint of port 7741 to nmap so they can include the lisa service in their list.

Any more ideas?

Thanks.

--Dane

celejar · 01-14-2006, 10:45 PM

Stumped. Is there any other program you know that uses LISa that you can test to see if something's wrong with Konqueror specifically or LISa?

DaneM · 01-15-2006, 04:04 AM

Not that I am aware of. I tried using firefox to open localhost:7741, and it tried to download a .bin file. I went ahead and removed shorewall and installed firestarter (though I like shorewall better), and with the same setup, the problem went away. I wonder if shorewall has some built-in policies that I'm not aware of.

Thanks for the help.

--Dane