FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 12-28-2010, 10:59 AM
AG
 
Default Allowing network printing through Arno's IP Tables

Greetings list

I have recently installed Arno's IP Tables on my Deb testing machine and
want to know how I can allow print privileges to a second computer,
because my machine runs the print server (CUPS).


From the second machine (also a Deb), I am unable to ping my machine
(print server), so am assuming that the IP tables are doing their job.


Looking at the /etc/arno-iptables-firewall/firewall.conf file, I can see
that any changes (which apparently should be handled through debconf)
would have to be made under the Internal (LAN) interface settings, but
beyond this, I'm really not sure how to proceed. Is it best to specify
the IP address (there's only one specific IP address from the second
machine) to allow, or am I supposed to enable INT_NET_BCAST_ADDRESS=""?


Any suggestions on how to proceed with this modification to the basic
set up of Arno's ... and is this something that I should append manually
to the conf file or let debconf handle? If the latter, how would I
indicate my changes?


Thanks for any suggested ways forward.

AG


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D19D131.5080807@gmail.com">http://lists.debian.org/4D19D131.5080807@gmail.com
 
Old 12-28-2010, 02:02 PM
Camaleón
 
Default Allowing network printing through Arno's IP Tables

On Tue, 28 Dec 2010 11:59:45 +0000, AG wrote:

> I have recently installed Arno's IP Tables on my Deb testing machine and
> want to know how I can allow print privileges to a second computer,
> because my machine runs the print server (CUPS).

(...)

First I would test is stopping Arno's IP Tables service and check if it
works, just to ensure the firewall rule is the culprit :-)

I'm not very good at "firewalling" but I guess you will have to put your
internal network inside the "trusted" side. By performing a quick read on
the Arno's IP tables manual ("/usr/share/doc/arno-iptables-firewall/
README.gz") I suppose it should be set using "FULL_ACCESS_HOSTS"
variable. If that works, then you can fine-tune the rule and allow access
only to the desired host in the required port.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.12.28.15.02.22@gmail.com">http://lists.debian.org/pan.2010.12.28.15.02.22@gmail.com
 
Old 12-29-2010, 02:43 PM
AG
 
Default Allowing network printing through Arno's IP Tables

On 28/12/10 15:02, Camaleón wrote:

On Tue, 28 Dec 2010 11:59:45 +0000, AG wrote:



I have recently installed Arno's IP Tables on my Deb testing machine and
want to know how I can allow print privileges to a second computer,
because my machine runs the print server (CUPS).


(...)

First I would test is stopping Arno's IP Tables service and check if it
works, just to ensure the firewall rule is the culprit :-)

I'm not very good at "firewalling" but I guess you will have to put your
internal network inside the "trusted" side. By performing a quick read on
the Arno's IP tables manual ("/usr/share/doc/arno-iptables-firewall/
README.gz") I suppose it should be set using "FULL_ACCESS_HOSTS"
variable. If that works, then you can fine-tune the rule and allow access
only to the desired host in the required port.

Greetings,




Hello Camaleón

Thanks for your prompt reply. In response to your first suggestion, yes
- I have already eliminated other options: it *is* a firewall rule issue.


In following your second suggestion - I already reviewed that file prior
to posting my query. I am a little confused though because my machine
is single-homed because it only has one NIC. However, it is through
this NIC that the client machine must access the print server, so it is
a single-homed machine, but serving one service to the LAN while
accessing the (outside) Net.


In the actual firewall.conf file, this situation becomes even more
confusing, because it notes:


"Specify here your internal network (LAN) interface(s). Multiple(!)
interfaces
should be space separated. Remark this if you don't have any internal
network

interfaces. Note that by default ALL traffic is accepted from these
interfaces."

But this is not happening - the traffic is being blocked. Now I wonder
if this is because the eth0 (i.e. ext_if) is seeing internally
originating traffic as originating from outside, because it is sharing
the same NIC?


Any other thoughts because I am (understandably) quite leery about
adjusting settings without a full understanding of the implications of
doing so.


Cheers

AG



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D1B5715.6090401@gmail.com">http://lists.debian.org/4D1B5715.6090401@gmail.com
 
Old 12-29-2010, 03:17 PM
Camaleón
 
Default Allowing network printing through Arno's IP Tables

On Wed, 29 Dec 2010 15:43:17 +0000, AG wrote:

> On 28/12/10 15:02, Camaleón wrote:

>> I'm not very good at "firewalling" but I guess you will have to put
>> your internal network inside the "trusted" side. By performing a quick
>> read on the Arno's IP tables manual
>> ("/usr/share/doc/arno-iptables-firewall/ README.gz") I suppose it
>> should be set using "FULL_ACCESS_HOSTS" variable. If that works, then
>> you can fine-tune the rule and allow access only to the desired host in
>> the required port.

(...)

> In following your second suggestion - I already reviewed that file prior
> to posting my query. I am a little confused though because my machine
> is single-homed because it only has one NIC. However, it is through
> this NIC that the client machine must access the print server, so it is
> a single-homed machine, but serving one service to the LAN while
> accessing the (outside) Net.

Normally, firewalls use two (or three, if we count the dmz) denominations
for their "zones": "internal" zone is the one you use for your lan and
uses to be "safe" and "external" zone is where you have the dsl router
connected. This is the common scenario when there are at least two nic
interfaces and you "divide" your network to get a more secure setup.

But usually, home users only have one nic available and this can be setup
as "external" (insecure/protected/all ports closed by default) or
"internal" (rules are more relaxed). It seems that the former is what is
happening here.

> In the actual firewall.conf file, this situation becomes even more
> confusing, because it notes:
>
> "Specify here your internal network (LAN) interface(s). Multiple(!)
> interfaces
> should be space separated. Remark this if you don't have any internal
> network
> interfaces. Note that by default ALL traffic is accepted from these
> interfaces."
>
> But this is not happening - the traffic is being blocked. Now I wonder
> if this is because the eth0 (i.e. ext_if) is seeing internally
> originating traffic as originating from outside, because it is sharing
> the same NIC?
>
> Any other thoughts because I am (understandably) quite leery about
> adjusting settings without a full understanding of the implications of
> doing so.

Try to set the variable I said on my previous post, adjust it to fit your
needs and reload the firewall service, then test Cups again. Basically,
what this variable should do is telling iptables "hey, "eth0" manages my
lan traffic so reject all the external connections (from remote-to-lan)
but relax the rules within the internal one (lan-to-lan)."

Hint: "readme" file has a "quick setup" section with some useful tips for
each usage scenario.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.12.29.16.17.17@gmail.com">http://lists.debian.org/pan.2010.12.29.16.17.17@gmail.com
 
Old 12-29-2010, 03:27 PM
AG
 
Default Allowing network printing through Arno's IP Tables

On 29/12/10 16:17, Camaleón wrote:

On 28/12/10 15:02, Camaleón wrote:


I'm not very good at "firewalling" but I guess you will have to put
your internal network inside the "trusted" side. By performing a quick
read on the Arno's IP tables manual
("/usr/share/doc/arno-iptables-firewall/ README.gz") I suppose it
should be set using "FULL_ACCESS_HOSTS" variable. If that works, then
you can fine-tune the rule and allow access only to the desired host in
the required port.


Try to set the variable I said on my previous post, adjust it to fit your
needs and reload the firewall service, then test Cups again. Basically,
what this variable should do is telling iptables "hey, "eth0" manages my
lan traffic so reject all the external connections (from remote-to-lan)
but relax the rules within the internal one (lan-to-lan)."




I'll try this again in a bit and come back to you.


Hint: "readme" file has a "quick setup" section with some useful tips for
each usage scenario.

Greetings,




Thanks as always

AG


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4D1B6178.7030803@gmail.com">http://lists.debian.org/4D1B6178.7030803@gmail.com
 

Thread Tools




All times are GMT. The time now is 12:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org