Forums : Usge of the new Firewall-Rules?!

Note: OldMan can be sporadic in his visits. If you do not get an answer fast enough, just contact him.

It is currently Mon Oct 23, 2017 9:12 am All times are UTC -4 hours

Usge of the new Firewall-Rules?!

DrSterni

D
Sun Mar 05, 2006 5:22 am
Quote
Hehe, this question had to come once
The "new" Firewall setup system (taken from AnOldMan's article "UPDATED: Forwarding Ports on your Magnia SG20" - read it! It's good!!!) is up and running. The standard forwarding rulez also.
I have some serious amount of different ports to forward to various machines. Most of them can be summed in port-ranges which I could easily handle by using the "I/O-Rule"-definitions.
The "Port-Forwarding"-rules don't seem to be capable of using port-ranges.
The problem is that adding an I/O-Rule has no effect on the SG20. Maybe my added definition is wrong in a way but unfortunately the descriptions of the form-fields is bad in a way.
What worked instantly was adding a port-forwarding rule, but without port-ranges. This would lead to the fact that I'd have to enter sheer endless lists of different ports. Not a good idea...
Does anybody have an idea how to "port-forwarding" (means both accept and forward ports to one machine) works with the "I/O rule"-system?
Would be really helpful.
Thanks a lot!
Dr.Sterni.
Rhythm is life and life is rhythm...

AnOldMan

A
Sun Mar 05, 2006 2:43 pm
Quote
I've updated the picture in the article to show an example. You'd have to clear and rebuild your Squid cache to see it though, so I'll post it here:

UPDATED: Forwarding Ports on your Magnia SG20
Your most likely problem is IP's and subnet masks.
For opening a port range for incoming traffic to one client on the LAN : Your destination would be a private IP and be defined. The subnet mask would be your LAN subnet mask. The Source IP would be Public, the mask would be all zeroes. If I put 255.255.255.0 in here, I am only allowing traffic in from my ISP subnet, not the internet.
The above is the most likely scenario. You already can connect outbound for multiple clients. The input form is a little confusing for forwarding incoming traffic, since the order is backwards.
What I really want to know is WHY? Why are you forwarding so many ports? As long as an internal client establishes the connection, the firewall will automatically accept incoming packets. I put in a VOIP device and didn't need to do any forwarding (like you would have to do if you have a router).

CreepTyrant

C
Sun Mar 19, 2006 3:25 am
Quote
Is this for possibly running Game Servers on client systems?
Just curious because that is the only reason I can easily relate to that would explain the need to forward a mass amount of ports since each game uses it's own port ranges.
I am also just guessing this from the Battelfield 2 signature graphics you have, apparently, like myself, you are an avid gamer.
If that is the case, then whatever solution works for your problem will likely also solve mine. A while back I was trying to figure out how to open ports so I could host a game server on one of my client systems, but even with the other players connected through VPN I couldn't get them to "see" the server. I put that project on the back burner for a while though, because my SG20 needed to be completely re-installed anyway as it was missing a lot fo files and had been tampered with before I got it (at least the software had been tampered with in attempts to customize it0. Since re-installing the unit it has worked very nicely, and I have everything running on it the way I want except for 2 small annoyances I haven't managed to lock down yet, I know it is something to do with the SA2 folder, only a matter of time before I figure out which files are casuiong the problem.
Anyway, I am willing to try out this new forwarding method and tinker around and see how it works. So far I managed to have an internal LAN only website that I custom made so my kids can watch cartoons and listen to music and all that at the click of the mouse from the web page, and all the actuall files they are using are actually on yet another system on my lan which I dedicated as a fileserver. I also got FTP working properly, and the Shorewall Firewall. So far I haven't had to touch any port forwarding issues, not even when I installed the Linux version of Ventrilo on the Magnia and started hosting my own VOIP for myself and friends to use when we game or just want to hang out and chat (also handy when developing web pages or debugging code with a friend online).
So again, the only thing I can think of such a need to forward ports is game servers, I'd like to make that work also.

Don't take life too seriously......it's not permanent.

AnOldMan

A
Sun Mar 19, 2006 10:01 pm
Quote
Why not install and try it?
If you want to see what files are installed, so you can back the originals up, try Quick Zip or a similar program to view the contents of the rpm's.
Of course, if you have installed the shorewall firewall, you might not be able to use the Toshiba interface to make changes. You also mention problems getting the Toshiba scripts to work on your system. So the whole thing is probably moot for you anyway.

CreepTyrant

C
Mon Mar 20, 2006 4:39 am
Quote
Well I was trying to figure out how to actually just do away with the toshiba interface altogether, but I don't realy mind it either. What is a bit of an annoyance is that every time I want to add an FTP account I have to add the user into the Toshiba interface first, then I have to go to Webmin and manually set that user to the proper group (I don't know why it isn't automatically doing it since I have it set in webmin to add new users to a specific group). Then I have to go into the new users account and make thier primary group the group I want (again, it should be doing this auto, but it isn't). Then I still have to manually add the username into the ftpaccess file, THEN I have to add the user again into the Sa2/etc/ftpaccess/base10 file. If I don't enter them into the base10 file and the system is rebooted or a major system change is made, that user will no longer have FTP access and I have to go through the whole process again.
I have it down to a science now that I have done it enough times, but I know I shouldn't have to be going through so many steps just to add a user account for FTP access. As I understand it I should just be able to add the user from Webmin, and if my settings are correct it would automatically set them up for the proper access.
Another curious thing is that I cannot use Usermin at all, no matter if I log in as root it will say "You do not have access to any Usermin modules."
Those couple items aside, re-installing the system worked out great, and even though I am going through all that hassle, at least the FTP IS working this time, and the firewalls are working, before the re-install that stuff just plain refused to work at all, always missing a file or something.
I also noticed that after re-installing and installing Webmin (just as I had done before) Webmin itself no longer launches at boot up, I have to telnet to the magnia and start Webmin manually. Even though Webmin set up it's own startup script, I think I am going to make a new script to start webmin at boot, I can handle that pretty easily.
I have a funny feeling something in that Sa2 folder has something to do with a ot of this, but have yet to figure out which file(s) I need to be working with. Working and being a single Dad has been very busy and hasn't allowed me a lot of time to play with the machine, so I must admit I haven't been fully able to give it a lot of attention. I am happy that it works, and stays working, even if I have those couple little bugs.
By the way, did you ever get your USB enclosure working with your drives?
Mine works like a charm, but it absolutely does not like the front USB ports (possibly a header difference?), I got a 3 foot cable for it so I don't have to reach behind my computer to connect it anymore, I just leave the cable plugged in, and I love this thing, SOOOOOO handy for moving bulk files around, and a really handy item when I am servicing a system since now I can cary around 10 Gb of utilities in one tiny package instead of a ton of CD's, and I never forget that one CD I end up needing. Of course the working FTP helps me a lot there too, I set up my account so I can access everthing (my users can only access limited areas with pictures, avatars, signature pics and such and whatever they put in), I love knowing I can always access whatever I need as long as I can access the internet.

Don't take life too seriously......it's not permanent.

AnOldMan

A
Mon Mar 20, 2006 2:03 pm
Quote
Webmin is set to start almost last in the startup sequence. Since it is not starting, that means that a previous service is hanging on start-up.
Treat the disease, not the symptoms.
Check your logs to see what service is hanging.
As for ftp access for users, you could invest the time studying the SA2 scripts and modify them to make the changes you want. It's perl, and not all that difficult. You could find and modify the create new user scripts so that they make the settings you desire.
HINT: what menu are you in when a user is added? Look at the scripts that generate that menu.

DrSterni

D
Tue Mar 21, 2006 5:50 pm
Quote
Sorry I did not finde the time to answer the post above a couple of days earlier... The job, you know?!
Well, anyway, yes it's true: I need these huge amount of ports on the SG20 in order to forward data for gaming. In this case we're dealing with CLIENTS, not servers. As you can see in my signature I was first of all trying to find solutions for BF2.
Finally I found some ways to program iptable directly again, because the new method of handling the firewall via the web-surface does not seem to be flexible enough for my case (I think! This is nothing I'm really sure about).
Well, still a couple of nice things indeed happen when you install the new method on the machine: first of all the web-surface is far better than the old one and you can easily setup some more complicated rules for the fireware PLUS the flexibility of iptables (which will be updated also!) seems to be better. I also don't know if this is really a fact. But simply: the pre-installed rules of the firewall are far more advanced than in the old installation.
However: I finished writing the hand-made rules for Battlefield 2 and Valve's "Steam" (for Half Life 2 / Counter Strike:Source / Day of Defeat etc.) plus (because a couple of guys were asking for it ) some filesharing-tools (Bittorrent & eMule).
If somebody wants them: no probs. Just let me know and I'll send the files over. They are pretty easy to adapt to your network-infrastructure.
Was this understandable? Sorry if not, english is not my native-language. If you have questions, let me know.
Bye, Sterni.
Rhythm is life and life is rhythm...