On Fri, Apr 23, 2010 at 1:10 PM, Bob Goodwin <bobgoodwin@xxxxxxxxxxxx> wrote:
You'd need to add log rules yourself. How and where to add them depends
on your current firewall setup.
If you can test your failing application during a time when the network is quiet,
you can start by just looking at the counts to see where packets are being dropped.
For example, on my F12 desktop, I did the following as root. The first command
zeroes out the counters, the second was done a few seconds later:
# iptables -Z
Through F-11 I ran Firestarter, it is not available for F-12 apparently.
The attractive thing with firestarter was the log it produced. When
I had a problem with an application I could look at the log and see
what the firewall was blocking. How can I do that with the firewall
provided with F-12. I have an application that doesn't work properly
with the firewall enabled but is good with it disabled. Obviously I
would like to know why.
Any help appreciated.
You'd need to add log rules yourself. How and where to add them depends
on your current firewall setup.
If you can test your failing application during a time when the network is quiet,
you can start by just looking at the counts to see where packets are being dropped.
For example, on my F12 desktop, I did the following as root. The first command
zeroes out the counters, the second was done a few seconds later:
# iptables --line-number -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 9 1192 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 1 97 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 10 packets, 1868 bytes)
num pkts bytes target prot opt in out source destination
As you can see, in the few seconds between commands, 9 RELATED or
ESTABLISHED packets came in (and were accepted by rule 1). 1 packet was
rejected by rule 5.
If I wanted to get details about the rejected packets, I'd add a log rule just before
the reject rule (DO NOT JUST COPY THIS COMMAND! Your iptables rules
are probably different.):
iptables -I INPUT 5 -j LOG --log-prefix "ipables INPUT: "
which would add a non-terminating LOG rule as rule 5 in the INPUT chain,
just before the REJECT (which would become rule 6). Then you could
scan /var/log/messages for "iptables" entries, each of which would tell you
what type of packet was being rejected, including ip address, protocol and port.
From that, you could craft an iptables rule to accept it. I'm assuming that you
do all this from the target F12 system.
As always, be careful! Learn as much about networking, iptables and the
specific failing app as you can.
Doesn't the failing app's documentation tell you what openings it needs in
the firewall?
--
Dale Dellutri
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
