Michel Posted April 7, 2003 Report Share Posted April 7, 2003 I can chat on msn, but I would also like to send and recieve files...I had opened 1891-1900 for sending of files on tcp, but it wouldn't work.....How can I recieve without permanentley letting my incoming ports open.I'm using shorewall and maybe in the future also prelude... Thanks Quote Link to comment Share on other sites More sharing options...
MottS Posted April 7, 2003 Report Share Posted April 7, 2003 put the following in /etc/shorewall/rules ACCEPT net masq:YourIP tcp 6890:6900 - I'm using a dedicated Mandrake box with Shorewall on it so this is why I use the 'masq' command (ICS is enabled). But I'm sure you can adapt it to a one-interface machine.. MOttS Quote Link to comment Share on other sites More sharing options...
Michel Posted April 7, 2003 Author Report Share Posted April 7, 2003 Sorry, but I've never used masqearde(but will investigate if needed...) Won't be your internetconnection always open? Quote Link to comment Share on other sites More sharing options...
Michel Posted April 7, 2003 Author Report Share Posted April 7, 2003 Sorry, but I've never used masqearde(but will investigate if needed...) Won't be your internetconnection always open? Sorry maybe not clear: won't be ports 6890-6900 always open for incoming traffic? Quote Link to comment Share on other sites More sharing options...
MottS Posted April 7, 2003 Report Share Posted April 7, 2003 Hi Michel Actually the command is: DNAT net masq:YourIP tcp 6891:6900 - This forwards the ports from the server to your computer (the one having YourIP behind the Masquerading server). For a two-interface server that does not uses Masquerading then you can use 'loc' instead of 'masq'. That should do the trick. In that case I guess you can remove the ':YourIP' part. If you have a one-interface system (ie, shorewall is installed on the computer running msn - I mean Gaim or AMSN) then the command is: ACCEPT net fw tcp 6891:6900 - Sorry maybe not clear: won't be ports 6890-6900 always open for incoming traffic? Yes this will open the port permanently. But all these ports will actually be CLOSED until you send a file. Those ports would otherwise be FILTERED. Here is the proof. [root@localhost gd]# nmap -sS -p 6891-6900 www.google.fr Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) sendto in send_tcp_raw: sendto(3, packet, 40, 0, 216.239.51.99, 16) => Operation not permitted Interesting ports on (216.239.51.99): Port State Service 6891/tcp filtered unknown 6892/tcp filtered unknown 6893/tcp filtered unknown 6894/tcp filtered unknown 6895/tcp filtered unknown 6896/tcp filtered unknown 6897/tcp filtered unknown 6898/tcp filtered unknown 6899/tcp filtered unknown 6900/tcp filtered unknown Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds OR [root@localhost gd]# nmap -sS -p 6891-6900 chuck.no-ip.com Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) sendto in send_tcp_raw: sendto(3, packet, 40, 0, 66.36.130.202, 16) => Operation not permitted All 10 scanned ports on dsl-130-202.aei.ca (66.36.130.202) are: closed Nmap run completed -- 1 IP address (1 host up) scanned in 2 second Ie, the ports are FILTERED on someone that did not put those lines in his firewall's config but are CLOSED on someone that did it. The only moment when they will be opened is when you send a file. In that time, you are the server and your friend is the client. So don't worry about that .. BTW, you only need those ports to be opened when you send a file. In that case you are the server.. like if you run Apache or something. To receive files you don't need any tweak since you connect to a server (you are the client) exactly like you connect to mandrakeusers.org .. ie you don't need modify /etc/shorewall/rules .. did you? :P HTH MOttS Quote Link to comment Share on other sites More sharing options...
Michel Posted April 8, 2003 Author Report Share Posted April 8, 2003 There was nothing in the rules-file. I block everything and allow only certain outgoin-connections in combination with ALLOW-RELATED Quote Link to comment Share on other sites More sharing options...
MottS Posted April 8, 2003 Report Share Posted April 8, 2003 But to be able to send files, you need to be the server .. so you need to add stuff in your /etc/shorewall/rules file. Désolé mais c'est ça ... :? MOtts Quote Link to comment Share on other sites More sharing options...
Relic2K Posted April 30, 2003 Report Share Posted April 30, 2003 There was nothing in the rules-file. I block everything and allow only certain outgoin-connections in combination with ALLOW-RELATED I use Guarddog Firewall, which has an option for AMSN/MSN, along with quite a few other services, and it works with IP Tables, vice IP Chains. You can view some screen shot here. http://www.simonzone.com/software/guarddog/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.