[pptp-server] Firewall issues... More info...

Phil Van Baren phil at vibrationresearch.com
Sat Oct 7 22:05:15 CDT 2000


Jason,

I'm confused here, because you say your rule 34 is defined to match
interface $EXTIF and protocol 6 (tcp), but you also say your error log is
giving errors on rule 34 matching interface ppp0 and protocol 17 (udp).
They cannot be the same rule.  Maybe one is an input rule and the other an
output rule?

As for the two rules:

/sbin/ipchains -A forward -j ACCEPT -s 192.168.1.0/24 -d 192.168.1.0/24
/sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d
$EXTIP

These two rules are on two completely separate rule chains (forward and
input) so neither one is before or after the other.  The first applies when
a packet is being forwarded, and the second applies to input packets.  See
the section "How Packets Traverse The Filters" in the IPCHAINS-HOWTO for
more details.

Phil

> My ipchains rule #34 says:
>
> /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d
> $EXTIP
>
> Where:
>
> $EXTIF is my external interface
> $UNIVERSE is  0.0.0.0/0
>
> I know that that blocks all SMB traffic going out on the external
interface,
> but shouldn't this rule (read AFTER that rule) allow it?  And Proto 17 is
> UDP.  How does that affect it?
>
> /sbin/ipchains -A forward -j ACCEPT -s 192.168.1.0/24 -d 192.168.1.0/24
>
> I don't want to route SMB traffic to the internet.  But I do want to allow
> SMB traffic to pass between local nets over all ppp interfaces (and my
> internal interface).
>
> Do rules overwrite each other?  Or how does that work?
>
> I'm sooo close!!  =)  Will you guys work with me on this?
>
> Thanks.
>
> j
>
>
>
> > For SMB traffic.  I did that, and I still can't get SMB working.  As
soon
> as
> > I connect, my firewall starts spitting out errors denying connects on
> > interface ppp0 for proto 17 by rule #34.
> >
> > How can I fix this?
> >
> > Thanks.
> >
> > j




More information about the pptp-server mailing list