Getting Tftp to run with this Rule set

Getting Tftp to run with this Rule set

[Ralph Blach]

I have a Fedora 3 core 86_64 box running with this rule set as generated by the fedora
firewall bring up.  Eth1 is a trusted interface, and is the private network.
dhcp runs find, and returns a file name, yet tftpd does not run, getting a port rejected.

I have two ethernets in my box.

10.0.0.1 and a.b.c.d.  the 10.0.0.x is the private network and the a.b.c.d is my public network.

Everthing works fine except tftpd which gets this error

08:45:49.945234 IP 10.0.0.10.2593 > 10.0.0.1.32819: UDP, length 4
08:45:49.945261 IP 10.0.0.1 > india10: icmp 40: 10.0.0.1 udp port 32819 unreachable
08:45:52.612474 IP 10.0.0.10.2593 > 10.0.0.1.32819: UDP, length 4
08:45:52.612521 IP 10.0.0.1 > india10: icmp 40: 10.0.0.1 udp port 32819 unreachable
What rule set do I add so that ports on eth1 above 1024 will be accessable on eth1 and tftp will
work?

Thanks

Chip

Here is the rule set
/etc/rc.d/init.d/iptables status
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.0.0.0/24          0.0.0.0/0           to:a.b.c.d

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Table: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

-- 
Ralph "Chip" Blach
chipper@us.ibm.com
IBM Linux Technology Center
Raleigh, North Carolina
919 543 1207

Re: Getting Tftp to run with this Rule set

[/dev/rob0]

On Thursday 2005-August-11 08:16, Ralph Blach wrote:
> I have a Fedora 3 core 86_64 box running with this rule set as
> generated by the fedora firewall bring up.  Eth1 is a trusted

I haven't seen it recently, but I know that older versions of Fedora 
(and Red Hat) default firewalls are utterly useless. If you want to 
learn iptables yourself, fine; if not, look on freshmeat for something 
better. Just about anything you might find is probably better.

At this time I don't have something specific I can recommend. Before I 
learned iptables I used MonMotha's, but that's too complicated for my 
liking.

> What rule set do I add so that ports on eth1 above 1024 will be
> accessable on eth1 and tftp will work?

Wrong question. Use stateful inspection as described in the Packet 
Filtering HOWTO. The ipchains-style approach of opening high ports is a 
terrible idea, completely unnecessary with iptables.

I could answer your question, but I won't. It is documented in the 
manual, of course.

> Here is the rule set
> /etc/rc.d/init.d/iptables status

No, that's not. It doesn't tell us much at all. iptables-save(8) output 
is far more useful.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Can someone recommend a good simple firewall script?

[/dev/rob0]

On Thursday 2005-August-11 12:37, I hunted and pecked:
> learn iptables yourself, fine; if not, look on freshmeat for
> something better. Just about anything you might find is probably
> better.
>
> At this time I don't have something specific I can recommend. Before
> I learned iptables I used MonMotha's, but that's too complicated for
> my liking.

I don't have time to go looking, but ISTM that many of today's crop of 
questions was related to this poster's issue. They are probably not 
really wanting to learn firewalling, they simply want to have a rule 
set that works and is easy to manage.

Yes, I know there are things like firestarter which can generate 
rulesets. But is there something non-GUI, and simple?

Am I going to have to write one myself? :) There are 37 hits for 
http://freshmeat.net/search/?q=iptables+script . Most of them look 
unmaintained.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Can someone recommend a good simple firewall script?

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 839 bytes --]

/dev/rob0 wrote:

>
> I don't have time to go looking, but ISTM that many of today's crop of
> questions was related to this poster's issue. They are probably not
> really wanting to learn firewalling, they simply want to have a rule
> set that works and is easy to manage.
>
> Yes, I know there are things like firestarter which can generate
> rulesets. But is there something non-GUI, and simple?
>
> Am I going to have to write one myself? :) There are 37 hits for
> http://freshmeat.net/search/?q=iptables+script . Most of them look
> unmaintained.

Shorewall is non-GUI and still actively maintained and supported.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Can someone recommend a good simple firewall script?

[Anthony DiSante]

/dev/rob0 wrote:
>>learn iptables yourself, fine; if not, look on freshmeat for
>>something better. Just about anything you might find is probably
>>better.
>>
>>At this time I don't have something specific I can recommend. Before
>>I learned iptables I used MonMotha's, but that's too complicated for
>>my liking.
> 
> I don't have time to go looking, but ISTM that many of today's crop of 
> questions was related to this poster's issue. They are probably not 
> really wanting to learn firewalling, they simply want to have a rule 
> set that works and is easy to manage.
> 
> Yes, I know there are things like firestarter which can generate 
> rulesets. But is there something non-GUI, and simple?

I'm not an expert with firewalls, but it seems to me that many people would 
be well-served by something even more basic than a simple ruleset-generator.

Two of the most common services anyone would want to offer are HTTP and SSH. 
  And many people are either directly connected to the internet (i.e. the PC 
has a public IP) or else are behind a hardware router (the PC has a private IP).

Let's further assume that in many/most cases, people in that situation (who 
want HTTP and SSH open) would want the system completely locked down otherwise.

Given those constraints, which I think would apply to many people in many 
situations, couldn't we ("we" meaning the experts, excluding myself here) 
just provide two static rulesets that would satisfy all these people?  One 
for the system with a public IP, and one for the system behind a router?

-Anthony DiSante
http://encodable.com/
http://nodivisions.com/