Re: DNS or firewall problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.

ugh...fwbuilder crap...oh well.


> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

Seriously? Them two are redundant since you already accept everything on lo.

> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT

Hmm...you do not appear to have a blanket accept for your internal 
interface. What services are supposed to be open to the internal lan?


>
>
>> 'netstat -ntlp'
>
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address               Foreign Address
> State       PID/Program name
> tcp        0      0 0.0.0.0:20000               0.0.0.0:*
> LISTEN      3580/perl
> tcp        0      0 127.0.0.1:2208              0.0.0.0:*
> LISTEN      2960/hpiod
> tcp        0      0 0.0.0.0:3306                0.0.0.0:*
> LISTEN      3138/mysqld
> tcp        0      0 127.0.0.1:3310              0.0.0.0:*
> LISTEN      3049/clamd
> tcp        0      0 0.0.0.0:111                 0.0.0.0:*
> LISTEN      2667/portmap
> tcp        0      0 0.0.0.0:6000                0.0.0.0:*
> LISTEN      3958/X
> tcp        0      0 0.0.0.0:10000               0.0.0.0:*
> LISTEN      3588/perl
> tcp        0      0 192.168.1.101:53            0.0.0.0:*
> LISTEN      2639/named
> tcp        0      0 127.0.0.1:53                0.0.0.0:*
> LISTEN      2639/named
> tcp        0      0 127.0.0.1:631               0.0.0.0:*
> LISTEN      2980/cupsd
> tcp        0      0 0.0.0.0:25                  0.0.0.0:*
> LISTEN      3218/sendmail: acce
> tcp        0      0 127.0.0.1:953               0.0.0.0:*
> LISTEN      2639/named
> tcp        0      0 0.0.0.0:766                 0.0.0.0:*
> LISTEN      2704/rpc.statd
> tcp        0      0 0.0.0.0:3551                0.0.0.0:*
> LISTEN      3032/apcupsd
> tcp        0      0 127.0.0.1:2207              0.0.0.0:*
> LISTEN      2965/python
> tcp        0      0 :::80                       :::*
> LISTEN      5464/httpd
> tcp        0      0 :::6000                     :::*
> LISTEN      3958/X
> tcp        0      0 ::1:953                     :::*
> LISTEN      2639/named
> tcp        0      0 :::443                      :::*
> LISTEN      5464/httpd
>
> Not sure what all this means. Hope someone can.
>

You should be able to connect to the web service from the internal lan 
using the internal ip and also to the smtp service. But I guess your web 
service is probably apache doing proxy work unless you have a different 
meaning to 'internal boxes can access the internet'...

What services were internal boxes supposed to be able to access again? 
webmin? mysql? dns?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux