[NCLUG] smoothwall questions

Neil Doane caine at vasoftware.com
Wed Feb 20 15:12:54 MST 2002 

That's in the "External Services" area, where you set up ipchains rules for
what is allowed in and what is dropped based on the source IP of the
datagram.   What it is saying is that since your Smoothie's default
configuration is set up so that all ports above 1024 are allowed in by 
default, from anywhere, you don't have any source IP control over these 
ports so don't go into to the "Port Forwarding" section and forward them and
expect to be able to have control over where packets going to those
forwarded ports are coming from.  (For instance, if you use the 'external
services' to open port 9000 on your Smoothie and tell it that only one IP in
the world can access that port (say 20.20.20.20), then go into port forward
that port from your Smoothie to your internal web server on port 80, your
rule about only allowing 20.20.20.20 won't have any effect because there's a
previous ipchains rule that says that any tcp or udp from 1024-65535 will be
accepted from anywhere.)  You can certainly change this from a shell and some 
ipchains magic, all that is saying is that the SmoothWall interface doesn't 
know how to do it.



Neil





* rosing at peakfive.com (rosing at peakfive.com) on [02-20-02 11:27] did utter:
> I got smoothwall.  It works great (other than the fact that I couldn't
> figure out how to add a driver for a card it didn't know about). But
> I'm curious about one thing.  In the documentation it says:
> 
>   Also note: Ports above 1024 are allowed through automatically. For this
>   reason, it is not recommended that you forward these ports if you require
>   restricted access by source IP address.
> 
> What is this saying?  It lets everything above port 1024 through but
> it doesn't forward them?  I'm confused.  After being told the ills of
> letting X requests through I want to make sure it doesn't happen here.
> 
> Thanks,
> 
> Matt
> 
> 
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug

More information about the NCLUG mailing list