--On 26. april 2005 18:49 +0200 Alexander Dalloz <ad+lists@xxxxxxxxx> wrote:
Am Di, den 26.04.2005 schrieb Sasa Stupar um 18:22:
Finnaly it is working. I have setup firewall with Shorewall and now I can print to printserver.
Sasa
Would you please be so kind and inform us about what now is different with your filtering? It may help others in future with a similar question.
Alexander
Before I tried to setup firewall with Firestarter and with RH-firewall-config. In either case I couldn't print from the firewalled machine to the printserver.
Then I setup Shorewall 2.2.3 and setup firewall with it (via Webmin) and now I can print from every firewalled machine (with Shorewall installed and configured).
The only thing I found is an option in shorewall.conf called DROPINVALID which has to be set to No othervise I can't print. From the shorewall.conf:
------------
# DROP INVALID PACKETS
#
# Netfilter classifies packets relative to its connection tracking table into
# four states:
#
# NEW - thes packet initiates a new connection
# ESTABLISHED - thes packet is part of an established connection
# RELATED - thes packet is related to an established connection; it may
# establish a new connection
# INVALID - the packet does not related to the table in any sensible way.
#
# Recent 2.6 kernels include code that evaluates TCP packets based on TCP
# Window analysis. This can cause packets that were previously classified as
# NEW or ESTABLISHED to be classified as INVALID.
#
# The new kernel code can be disabled by including this command in your
# /etc/shorewall/init file:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
#
# Additional kernel logging about INVALID TCP packets may be obtained by
# adding this command to /etc/shorewall/init:
#
# echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
#
# Traditionally, Shorewall has dropped INVALID TCP packets early. The DROPINVALID
# option allows INVALID packets to be passed through the normal rules chains by
# setting DROPINVALID=No.
#
# If not specified or if specified as empty (e.g., DROPINVALID="") then
# DROPINVALID=Yes is assumed.
DROPINVALID=No -----------------------
Regards, Sasa
Attachment:
pgp7aJkJu2664.pgp
Description: PGP signature