Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Wed, Jun 1, 2022 at 11:21 john doe wrote: > when does it actually start operating? Does it do so then, or does it take > > a reboot? > Apparently, if you 'enable' 'ufw', it will start and be enabled at boot. Good, thanks. According to (1), ufw should work with nftables, I did not follow th

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 6/1/2022 1:45 PM, Tom Browder wrote: On Mon, May 30, 2022 at 19:46 Edwin Zimmerman wrote: On 5/30/22 09:41, Greg Wooledge wrote: On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote: No worries. All those responses about the subject IP now are the norm for a bare-iron server read

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 19:46 Edwin Zimmerman wrote: > On 5/30/22 09:41, Greg Wooledge wrote: > > On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote: > >> No worries. All those responses about the subject IP now are the norm > for a > >> bare-iron server ready for use by a customer, your

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 5/30/22 09:41, Greg Wooledge wrote: > On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote: >> No worries. All those responses about the subject IP now are the norm for a >> bare-iron server ready for use by a customer, yours truly. It is the same >> server I messed up the firewall with a

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 1:24 PM Tom Browder wrote: > On Mon, May 30, 2022 at 09:03 IL Ka wrote: > >> IMHO: It is better to have a firewall and block (policy -- drop) INPUT >> and FORWARD by default. >> And open only ports that must be opened. >> This will help if you install some software that l

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 09:03 IL Ka wrote: > IMHO: It is better to have a firewall and block (policy -- drop) INPUT and > FORWARD by default. > And open only ports that must be opened. > This will help if you install some software that listens for 0.0.0.0 by > accident > >From my limited researc

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 08:42 Greg Wooledge wrote: .. > Unless this machine is more than just a web server...? It does serve other purposes.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

IMHO: It is better to have a firewall and block (policy -- drop) INPUT and FORWARD by default. And open only ports that must be opened. This will help if you install some software that listens for 0.0.0.0 by accident On Mon, May 30, 2022 at 4:42 PM Greg Wooledge wrote: > On Mon, May 30, 2022 at

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 07:13:54AM -0500, Tom Browder wrote: > No worries. All those responses about the subject IP now are the norm for a > bare-iron server ready for use by a customer, yours truly. It is the same > server I messed up the firewall with and locked myself out of. The OS has > been r

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Mon, May 30, 2022 at 02:13 john doe wrote: > On 5/30/2022 12:26 AM, Tom Browder wrote: > > On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote: No worries. All those responses about the subject IP now are the norm for a bare-iron server ready for use by a customer, yours truly. It is the same

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 2022-05-29, Greg Wooledge wrote: > > Second, I cannot ping this IP address, nor can I telnet to port 80 of it. > (Nor port 22.) > That's strange; I can ping it (I'm not in Kansas anymore): curty@einstein:~$ ping 69.30.225.10 PING 69.30.225.10 (69.30.225.10) 56(84) bytes of data. 64 bytes fro

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 5/30/2022 12:26 AM, Tom Browder wrote: On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote: ... Thanks, Greg. It looks like my server was blocked from ports 80 and 443 upstream from it (as you and others suspected), so I asked my provider to reinstall the OS and ensure it has public access to

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> Maybe I should remove all firewall progs and start from zero. I would suggest you install Shorewall. it is not the pain in the arse that's been the theme of this thread so far.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 8:13 PM Greg Wooledge wrote: > On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote: > > On 5/29/22, Greg Wooledge wrote: > > > Second, I cannot ping this IP address, nor can I telnet to port 80 of > it. > > > > For whatever it's worth.. > > > > Pinging 69.30.225.10 with 3

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > ssh gives me a login prompt > > Btw, I highly recommend: * Block SSH access from any IP except one you are going to use to manage this server * If you have dynamic IP, you can add all your ISP network, or, at least, your country: (list can be downloaded here https://blog.ip2location.com/kno

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 11:50:44PM +, Lee wrote: > On 5/29/22, Greg Wooledge wrote: > > Second, I cannot ping this IP address, nor can I telnet to port 80 of it. > > For whatever it's worth.. > > Pinging 69.30.225.10 with 32 bytes of data: > Reply from 69.30.225.10: bytes=32 time=43ms TTL=53

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 5/29/22, Greg Wooledge wrote: > On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote: >> I have not intentionally hidden anything, Greg--I just never saw the need >> for >> mentioning it given the dialogue--x.y.z.w is just shorthand. If you >> must know the exact IP address, it is 69.30.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 15:55 Greg Wooledge wrote: ... Thanks, Greg. It looks like my server was blocked from ports 80 and 443 upstream from it (as you and others suspected), so I asked my provider to reinstall the OS and ensure it has public access to ports 80 and 443. Best regards, -Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 03:39:05PM -0500, Tom Browder wrote: > I have not intentionally hidden anything, Greg--I just never saw the need for > mentioning it given the dialogue--x.y.z.w is just shorthand. If you > must know the exact IP address, it is 69.30.225.10. OK. Now we can actually start he

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 2:21 PM Greg Wooledge wrote: > > > > > btw, are you able to ping server? > > > > > > Yes. > > > > It is always better to show the command and the output instead of saying > > yes/no! :) > > Except it should be abundantly clear by now that you're dealing with > someone who b

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > btw, are you able to ping server? > > > > Yes. > > It is always better to show the command and the output instead of saying > yes/no! :) Except it should be abundantly clear by now that you're dealing with someone who believes that they must hide every single detail from the ones who would

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > I must say, I can not realy understand how you can ping and not > telnet/access your web server. > > Some router between OP and his server has something like -I FORWARD -j REJECT --reject-with icmp-host-unreachable

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 5/29/2022 7:20 PM, Tom Browder wrote: On Sun, May 29, 2022 at 11:39 IL Ka wrote: btw, are you able to ping server? Yes. It is always better to show the command and the output instead of saying yes/no! :) I must say, I can not realy understand how you can ping and not telnet/access yo

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 11:39 IL Ka wrote: > btw, are you able to ping server? > Yes.

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 05:41:59AM -0500, Tom Browder wrote: > On Sat, May 28, 2022 at 20:06 IL Ka wrote: > ... > > 3. You should also check that Apache is running and listening to this port, > > use ``ss -lt``. > > For this command you _may_ use sudo to get process names (``sudo ss > > -ltp``).

Re: Firewall blocking my new Debian 11 server ports 80 and 443

btw, are you able to ping server? On Sun, May 29, 2022 at 7:26 PM Tom Browder wrote: > On Sun, May 29, 2022 at 10:33 AM IL Ka wrote: > > > > > >> When running those, I'm told neither the arptablrs nor the ebtables are > registered (not installed). Should I install them? > > > > No. > > > > So,

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > > and ``iptables -S`` ? > > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -N f2b-sshd > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -s 61.177.173.7/32 -j REJECT --reject-with >

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 10:33 AM IL Ka wrote: > > >> When running those, I'm told neither the arptablrs nor the ebtables are >> registered (not installed). Should I install them? > > No. > > So, you now have legacy (classic) iptables, right? Yes. > What is the output of ``iptables -L -v -n`` C

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> When running those, I'm told neither the arptablrs nor the ebtables are > registered (not installed). Should I install them? > No. So, you now have legacy (classic) iptables, right? What is the output of ``iptables -L -v -n`` and ``iptables -S`` ?

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 09:51 IL Ka wrote: > >>> Do I have to switch all four *legacy *tables? >> > > yes > When running those, I'm told neither the arptablrs nor the ebtables are registered (not installed). Should I install them? >

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > >> Do I have to switch all four *legacy *tables? > yes

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 17:24 IL Ka wrote: > ... I am not familiar with nft, bit you can switch to iptables using >> ``update-alternatives`` >> > > # update-alternatives --set iptables /usr/sbin/iptables-legacy > # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy > # update-alterna

Re: Firewall blocking my new Debian 11 server ports 80 and 443

Le 29/05/2022 à 13:22, Tom Browder a écrit : On Sun, May 29, 2022 at 05:41 Tom Browder wrote: Does anyone have a good reason for me to NOT install and enable UFW? -Tom  good reason would be that thtere is obviously already something on your server magaing the firewalling. Having 2 different

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > > Good to know. But does fail2ban require ipset? > No, but having several thousand rules is not convenient, so I prefer ipset > They never have before in over 15 years, and, before I got this server > started, its mate was serving fine. But if the ufw doesn't work, I'll ask > them. > I'd s

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 07:06 IL Ka wrote: > Does anyone have a good reason for me to NOT install and enable UFW? >> > > ufw can't be used with ipset AFAIK, and I use ipset for many reasons > (fail2ban, block access outside of my country etc). > But If you only SSH your host from one static IP, y

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > > Does anyone have a good reason for me to NOT install and enable UFW? > > ufw can't be used with ipset AFAIK, and I use ipset for many reasons (fail2ban, block access outside of my country etc). But If you only SSH your host from one static IP, you probably do not need fail2ban at all. Anyw

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > $ telnet x.y.z.w 80 > Trying x.y.z.w... > telnet: Unable to connect to remote host: No route to host > But you can ssh to this host, right? Well, that means the firewall blocks your request and sends the ICMP message "no route to host". Switch to the legacy iptables using ``update

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sun, May 29, 2022 at 05:41 Tom Browder wrote: Does anyone have a good reason for me to NOT install and enable UFW? -Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 20:06 IL Ka wrote: ... 3. You should also check that Apache is running and listening to this port, > use ``ss -lt``. > For this command you _may_ use sudo to get process names (``sudo ss > -ltp``). Read ``ss --help`` > > If you were able to connect on this host, then try t

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 20:06 IL Ka wrote: > >> $ sudo su >> # telnet 80 >> Trying 0.0.0.80... >> > > 1. You are using telnet wrong: it should be "telnet [host] [port]". Please > read "man telnet". > 2. You do not need sudo to use telnet, do not do that > 3. You should also check that

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > $ sudo su > # telnet 80 > Trying 0.0.0.80... > 1. You are using telnet wrong: it should be "telnet [host] [port]". Please read "man telnet". 2. You do not need sudo to use telnet, do not do that 3. You should also check that Apache is running and listening to this port, use ``ss

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 19:10 Timothy M Butterworth < timothy.m.butterwo...@gmail.com> wrote: … On the local host try running `telnet 127.0.0.1 80` > I was able to connect, thanks, Timothy! Now what? I would really like to use ufw. -Tom

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 19:01 Greg Wooledge wrote: > On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote: > … > > ... wow. Just wow. How can such a short excerpt contain so many failures? Greg, calm down. I get it, but I haven’t unlearned years of muscle memory—sorry. And the telnet

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 7:52 PM Tom Browder wrote: > > > On Sat, May 28, 2022 at 17:51 Tom Browder wrote: > >> On Sat, May 28, 2022 at 17:30 IL Ka wrote: >> >>> I am running an Apache server and using Qualys Lab’s server checker. It shows no access to the server. Have you tried t

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 05:51:38PM -0500, Tom Browder wrote: > $ sudo su > # telnet 80 > Trying 0.0.0.80... ... wow. Just wow. How can such a short excerpt contain so many failures? 1) "sudo su" is stupid. You don't need TWO setuid programs to get a root shell. Either use "sudo

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 17:51 Tom Browder wrote: > On Sat, May 28, 2022 at 17:30 IL Ka wrote: > >> I am running an Apache server and using Qualys Lab’s server checker. It >>> shows no access to the server. >>> >>> Have you tried to telnet to port 80 from home? Do you see apache >> listening this

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 17:30 IL Ka wrote: > I am running an Apache server and using Qualys Lab’s server checker. It >> shows no access to the server. >> >> Have you tried to telnet to port 80 from home? Do you see apache > listening this port using ``ss``? > On the new host I did: $ sudo s

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > I am running an Apache server and using Qualys Lab’s server checker. It > shows no access to the server. > > Have you tried to telnet to port 80 from home? Do you see apache listening this port using ``ss``? > > Whatever attempt I make to change the ports disappears when I reboot. > > Sure,

Re: Firewall blocking my new Debian 11 server ports 80 and 443

Tom Browder wrote: > On Sat, May 28, 2022 at 14:11 Tom Browder wrote: > > > As the bare-iron server came from my long-time cloud provider (since > > Debian 6), incoming ports 80 and 443 are blocked. > > > A little more digging shows the new server is using fail2ban and nft > tables, so I > nee

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 17:08 Dan Ritter wrote: … Therefore, something outside of your machine is blocking the > ports, or you are misreading or misusing the tools that are > telling you the ports are blocked. Tell us how you are checking the ports I am running an Apache server and using Qual

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > > A little more digging shows the new server is using fail2ban and nft > tables, so I > need help on how to properly allow https and http inbound. > > I am not familiar with nft, bit you can switch to iptables using ``update-alternatives`` # update-alternatives --set iptables /usr/sbin/iptab

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On Sat, May 28, 2022 at 14:11 Tom Browder wrote: > As the bare-iron server came from my long-time cloud provider (since > Debian 6), incoming ports 80 and 443 are blocked. A little more digging shows the new server is using fail2ban and nft tables, so I need help on how to properly allow https

Re: Firewall blocking my new Debian 11 server ports 80 and 443

> > > > -P INPUT ACCEPT > -P FORWARD ACCEPT > -P OUTPUT ACCEPT > -N f2b-sshd > -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd > -A f2b-sshd -s 62.204.41.56/32 -j REJECT --reject-with > icmp-port-unreachable > -A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with > icmp-port-unreachable > -A

Re: Firewall blocking my new Debian 11 server ports 80 and 443

On 5/28/22 22:11, Tom Browder wrote: > As the bare-iron server came from my long-time cloud provider (since > Debian 6), incoming ports 80 and 443 are blocked. > > I ran my usual iptables command for new servers from them, but this > time the default settings were different so it didn't work. Try

Re: Firewall blocking my new Debian 11 server ports 80 and 443

Tom Browder wrote: > As the bare-iron server came from my long-time cloud provider (since > Debian 6), incoming ports 80 and 443 are blocked. > > I ran my usual iptables command for new servers from them, but this > time the default settings were different so it didn't work. > > Output from "sud

Re: Firewall POSTROUTING problem

On 8/11/21 7:01 PM, Alain D D Williams wrote: On Wed, Aug 11, 2021 at 11:50:30PM +0200, deloptes wrote: Alain D D Williams wrote: iptables -A FORWARD -j ACCEPT and the OUTPUT? OUTOUT is also ACCEPT, however this is not, I think, important as the packets come from 10.239.239.23 (via br0) a

Re: Firewall POSTROUTING problem

On Thu, Aug 12, 2021 at 01:28:57AM +0300, IL Ka wrote: > > > > > > > > > > iptables -A FORWARD -j ACCEPT > > > > Are you sure your packets are forwarded via netfilter? > Try to disable forwarding (with sysctl) or change rulte to -j DROP and > check traffic with sniffer (no packet should be forward

Re: Firewall POSTROUTING problem

> > > > > > iptables -A FORWARD -j ACCEPT > Are you sure your packets are forwarded via netfilter? Try to disable forwarding (with sysctl) or change rulte to -j DROP and check traffic with sniffer (no packet should be forwarded from virt machine to the Internet)

Re: Firewall POSTROUTING problem

On Wed, Aug 11, 2021 at 11:50:30PM +0200, deloptes wrote: > Alain D D Williams wrote: > > > iptables -A FORWARD -j ACCEPT > > > > and the OUTPUT? OUTOUT is also ACCEPT, however this is not, I think, important as the packets come from 10.239.239.23 (via br0) and go to the Internet - thus FORWARD

Re: Firewall POSTROUTING problem

Alain D D Williams wrote: > iptables -A FORWARD -j ACCEPT > and the OUTPUT? > and this is not a problem ... evidence is outgoing packets with source > address 10.239.239.23 ah, ok, I misinterpreted it. -- FCD6 3719 0FFB F1BF 38EA 4727 5348 5F1F DCFE BCB0

Re: Firewall POSTROUTING problem

On Wed, Aug 11, 2021 at 11:32:51PM +0200, deloptes wrote: > I remember it was not only the POSTROUTING. May be I am wrong, but I think > FORWARD and OUTPUT is important. > I also wonder why you are mixing up the -s and --to-source. You should be > using the local address for -s and --to-source the

Re: Firewall POSTROUTING problem

Alain D D Williams wrote: > Hi, > > I have problems getting POSTROUTING to work on a Debian 10 box. > > Setup: > > INTERNET ... Broadband modem 192.168.108.1 > > Network internal to the Debian box for virtual machines 10.239.239.0/24 > > Debian has address 192.168.108.2 (interface enp3s0) and

Re: firewall rules for NAT

On 1 Jul 2017 7:31 pm, "Pascal Hambourg" wrote: Le 01/07/2017 à 03:25, Igor Cicimov a écrit : > > You know what, i just checked the iptables rules the op sent again and > realized this: > > -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp > > --dport 25 -j SNAT --to-source

Re: firewall rules for NAT

On Sat, 1 Jul 2017 13:25:30 +0200 Pascal Hambourg wrote: Hello Pascal, >Are you sure that your mailer displays the plain text version, not the >HTML version ? I'll change my answer; I only looked at a couple of Igor's messages and they were fine. However, further study shows that in some pos

Re: firewall rules for NAT

On Sat, 1 Jul 2017 13:25:30 +0200 Pascal Hambourg wrote: Hello Pascal, >Are you sure that your mailer displays the plain text version, not the >HTML version ? Positive. I use Claws Mail *without* any HTML plugin. -- Regards _ / ) "The blindingly obvious is / _)r

Re: firewall rules for NAT

Le 01/07/2017 à 12:54, Brad Rogers a écrit : On Sat, 1 Jul 2017 11:30:41 +0200 Pascal Hambourg wrote: Hello Pascal, PS. Igor, the plain text version of your posts does not properly mark the quoted text from the message you reply to : it appears as if it was your text, without any quotation ma

Re: firewall rules for NAT

On Sat, 1 Jul 2017 11:30:41 +0200 Pascal Hambourg wrote: Hello Pascal, >PS. Igor, the plain text version of your posts does not properly mark >the quoted text from the message you reply to : it appears as if it was >your text, without any quotation marks. It's fine here. -- Regards _

Re: firewall rules for NAT

Le 01/07/2017 à 03:25, Igor Cicimov a écrit : You know what, i just checked the iptables rules the op sent again and realized this: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 is NOT how you would do SNAT with DNAT, you norm

Re: firewall rules for NAT

On 1 Jul 2017 7:13 am, "Pascal Hambourg" wrote: Le 30/06/2017 à 15:09, Igor Cicimov a écrit : > On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg > wrote: > >> >> Stateful NAT requires symmetric routing, i.e. reply packets go through the >> router that did the NAT operations on original packets

Re: firewall rules for NAT

Le 30/06/2017 à 15:09, Igor Cicimov a écrit : On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg wrote: Stateful NAT requires symmetric routing, i.e. reply packets go through the router that did the NAT operations on original packets and keeps the state for these NAT operations. With the host a

Re: firewall rules for NAT

On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg wrote: > Le 30/06/2017 à 00:38, Igor Cicimov a écrit : > >> On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: >> >>> >>> Il 27/06/2017 23:35, Pascal Hambourg ha scritto: >>> >>> Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d

Re: firewall rules for NAT

Le 30/06/2017 à 00:38, Igor Cicimov a écrit : On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: Il 27/06/2017 23:35, Pascal Hambourg ha scritto: Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 If this rul

Re: firewall rules for NAT

On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: Il 27/06/2017 23:35, Pascal Hambourg ha scritto: > Le 27/06/2017 à 13:29, Lucio Crusca a écrit : > >> >> -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT >> --to-source 10.7.33.100 >> >> > If this rule is required, then your routing

Re: firewall rules for NAT

Il 27/06/2017 23:35, Pascal Hambourg ha scritto: Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 If this rule is required, then your routing setup is wrong. Thank you very much, that was the problem. My

Re: firewall rules for NAT

On 27 Jun 2017 9:29 pm, "Lucio Crusca" wrote: Il 26/06/2017 11:35, Dan Purgert ha scritto: > That shouldn't be happening -- you may have an errant rule you didn't > show > I think I did show that rule: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100

Re: firewall rules for NAT

Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 The problem is that without that rule things do not work at all (connections time out). If this rule is required, then your routing setup is wrong. What is t

Re: firewall rules for NAT

Il 26/06/2017 11:35, Dan Purgert ha scritto: That shouldn't be happening -- you may have an errant rule you didn't show I think I did show that rule: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 The problem is that without that rule things do not

Re: firewall rules for NAT

Lucio Crusca wrote: >[...] > It works like a charm, but there is one problem: my mail server receives > all the connections from the router, which has its own private IP > address (10.7.33.100), so the mail server can't enforce SPF policies nor > DNS RBL rules on incoming mail connections. That

Re: Firewall - basic config?

On 04/27/2016 05:22 AM, Jonathan Dowland wrote: On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote: 2. I found that "ufw" works as a line-command-based-front-end to iptables. Good call. ufw is (IMHO) one of the best iptables-frontends for basic FWs. I am particularly fond of how

Re: Firewall - basic config?

On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote: > 2. I found that "ufw" works as a line-command-based-front-end to iptables. Good call. ufw is (IMHO) one of the best iptables-frontends for basic FWs. I am particularly fond of how easy it makes adding a rate-limiting rule. > 3.

Re: Firewall - basic config?

On Sat, Apr 23, 2016 at 01:04:36PM -0400, Harris Paltrowitz wrote: > Hi List, > > I have a question regarding how I've configured my iptables to act as a very > basic "firewall", i.e., one that simply prevents any and all incoming > connections. Now, from my readings over the past several days I

Re: Firewall - basic config?

On 04/24/2016 03:56 AM, Reco wrote: On Sun, 24 Apr 2016 00:17:51 -0500 Michael Milliman wrote: Any suggestions/comments would be much appreciated. Thanks very much. Assuming you'd want to keep ufw, you'd need to worry about: Chain ufw-after-input (1 references) target prot opt sourc

Re: Firewall - basic config?

On Apr 23, 2016 3:54 PM, "Joe" wrote: > . > > You might also try iptables -S which will list the rules in the form > that you would enter by hand as arguments to the iptables command. It is > a different view, and you may see things that are less obvious in the > -L view. > I'm guessing -S is the

Re: Firewall - basic config?

On Sun, 24 Apr 2016 00:17:51 -0500 Michael Milliman wrote: > >> Any suggestions/comments would be much appreciated. Thanks > >> very much. > > Assuming you'd want to keep ufw, you'd need to worry about: > > > >> Chain ufw-after-input (1 references) > >> target prot opt source d

Re: Firewall - basic config?

On 04/23/2016 01:01 PM, Reco wrote: Hi. On Sat, 23 Apr 2016 13:04:36 -0400 Harris Paltrowitz wrote: Hi List, I have a question regarding how I've configured my iptables to act as a very basic "firewall", i.e., one that simply prevents any and all incoming connections. Now, from my

Re: Firewall - basic config?

On Sat, 23 Apr 2016 13:04:36 -0400 Harris Paltrowitz wrote: > I noticed a mention of "microsoft-ds" in > there... I assume this is just a protocol, and not a piece of > software! Yes, iptables is being helpful in giving you a common name for the port or protocol used. It picks the name o

Re: Firewall - basic config?

Hi. On Sat, 23 Apr 2016 13:04:36 -0400 Harris Paltrowitz wrote: > Hi List, > > I have a question regarding how I've configured my iptables to act as a > very basic "firewall", i.e., one that simply prevents any and all > incoming connections. Now, from my readings over the past sever

Re: firewall à base d'iptables au démarrage (/etc/init.d/)

Lisi Reisz a écrit : > On Sunday 01 September 2013 10:26:22 Erwan David wrote: >> Et ces règles ne dépendent de rien d'autre ? Par exemple chez moi j'ai >> une interface tun0 pour un VPN? qui n'existera que si le VPN est lancé... > > This is an English language list! Looks like that post escaped

Re: firewall à base d'iptables au démarrage (/etc/init.d/)

On Sunday 01 September 2013 10:26:22 Erwan David wrote: > Le 01/09/2013 11:10, Dominique Asselineau a écrit : > > François TOURDE wrote on Sun, Sep 01, 2013 at 10:00:55AM +0200 > > > >> Le 15949ième jour après Epoch, > >> > >> Gaëtan PERRIER écrivait: > >>> Bonsoir, [snip] > Et ces règles ne dépend

Re: firewall à base d'iptables au démarrage (/etc/init.d/)

Le 01/09/2013 11:10, Dominique Asselineau a écrit : > François TOURDE wrote on Sun, Sep 01, 2013 at 10:00:55AM +0200 >> Le 15949ième jour après Epoch, >> Gaëtan PERRIER écrivait: >> >>> Bonsoir, >>> >>> C'est possible quand on est sur un réseau statique mais avec une réseau >>> en dhcp ça ne me sem

Re: firewall

On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. >From other posts on this thread, it sound

Re: firewall

On Wed, Jul 04, 2012 at 11:19:06AM +0800, lina wrote: > Hi, > > I don't know which firewall (http://wiki.debian.org/Firewalls) I should > choose. > > Thanks ahead for recommendation, and it will be very nice if you tell > me why you recommend this one. Have a read of: http://www.debian-administ

Re: firewall

On Fri, Jul 06, 2012 at 05:39:47PM +0300, Andrei POPESCU wrote: > On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote: > > > > Except on Debian you are required to do a fair amount of work to make > > your rules persistent across reboots and ensure you get ordering right > > to not lock yourself out of

Re: firewall

On Mi, 04 iul 12, 15:16:10, Jon Dowland wrote: > > Except on Debian you are required to do a fair amount of work to make > your rules persistent across reboots and ensure you get ordering right > to not lock yourself out of the box (if remote): all problems that > do not exist if you install and u

Re: firewall

On Thursday 05 July 2012 18:26:12 Doug wrote: > On 07/05/2012 08:31 AM, Atıf CEYLAN wrote: > > On 2012-07-05 10:05, Anthony Campbell wrote: > >> On 04 Jul 2012, Brad Alexander wrote: > >>> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf > >>> > >>> mailto:ralf.mard...@alice-dsl.net>> wrote: > On

Re: firewall

On 07/05/2012 08:31 AM, Atıf CEYLAN wrote: On 2012-07-05 10:05, Anthony Campbell wrote: On 04 Jul 2012, Brad Alexander wrote: On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf mailto:ralf.mard...@alice-dsl.net>> wrote: On Wed, 2012-07-04 at 11:19 +0800, lina wrote: Hi, I don't know which firewall

Re: firewall

Your reply (the text/plain portion) was completely illegible I'm afraid. Please refrain from sending HTML mail. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201207

Re: firewall

On Wed, Jul 04, 2012 at 04:52:10PM -0400, Brad Alexander wrote: > Excellent points, Joe. In addition, Windows was designed from the ground up > as a single-user operating system, which means that all of the files on a > system were accessible by the user. This is not true for the NT-based Windows

Re: firewall

On 2012-07-05 10:05, Anthony Campbell wrote: > On 04 Jul 2012, Brad Alexander wrote: > >> On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf wrote: >> >>> On Wed, 2012-07-04 at 11:19 +0800, lina wrote: >>> Hi, I don't know which firewall (http://wiki.debian.org/Firewalls [1]) I should cho

Re: firewall

On 04 Jul 2012, Brad Alexander wrote: > On Wed, Jul 4, 2012 at 2:15 AM, Ralf Mardorf > wrote: > > On Wed, 2012-07-04 at 11:19 +0800, lina wrote: > >> Hi, > >> > >> I don't know which firewall (http://wiki.debian.org/Firewalls) I should > >> choose. > >> > >> Thanks ahead for recommendation, and

  1   2   3   4   5   6   >