On 23/04/10 16:16, Dale Dellutri wrote: > > > On Fri, Apr 23, 2010 at 1:10 PM, Bob Goodwin <bobgoodwin@xxxxxxxxxxxx > <mailto:bobgoodwin@xxxxxxxxxxxx>> wrote: > > > Through F-11 I ran Firestarter, it is not available for F-12 > apparently. > > The attractive thing with firestarter was the log it produced. When > I had a problem with an application I could look at the log and see > what the firewall was blocking. How can I do that with the firewall > provided with F-12. I have an application that doesn't work > properly > with the firewall enabled but is good with it disabled. Obviously I > would like to know why. > > Any help appreciated. > > > You'd need to add log rules yourself. How and where to add them depends > on your current firewall setup. > > If you can test your failing application during a time when the > network is quiet, > you can start by just looking at the counts to see where packets are > being dropped. > > For example, on my F12 desktop, I did the following as root. The > first command > zeroes out the counters, the second was done a few seconds later: > > # iptables -Z > # iptables --line-number -nvL > Chain INPUT (policy ACCEPT 0 packets, 0 bytes) > num pkts bytes target prot opt in out > source destination > 1 9 1192 ACCEPT all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state > RELATED,ESTABLISHED > 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> > 4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> state NEW > tcp dpt:22 > 5 1 97 REJECT all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with > icmp-host-prohibited > Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) > num pkts bytes target prot opt in out > source destination > 1 0 0 REJECT all -- * * 0.0.0.0/0 > <http://0.0.0.0/0> 0.0.0.0/0 <http://0.0.0.0/0> reject-with > icmp-host-prohibited > Chain OUTPUT (policy ACCEPT 10 packets, 1868 bytes) > num pkts bytes target prot opt in out > source destination > > As you can see, in the few seconds between commands, 9 RELATED or > ESTABLISHED packets came in (and were accepted by rule 1). 1 packet was > rejected by rule 5. > > If I wanted to get details about the rejected packets, I'd add a log > rule just before > the reject rule (DO NOT JUST COPY THIS COMMAND! Your iptables rules > are probably different.): > > iptables -I INPUT 5 -j LOG --log-prefix "ipables INPUT: " > > which would add a non-terminating LOG rule as rule 5 in the INPUT chain, > just before the REJECT (which would become rule 6). Then you could > scan /var/log/messages for "iptables" entries, each of which would > tell you > what type of packet was being rejected, including ip address, protocol > and port. > From that, you could craft an iptables rule to accept it. I'm > assuming that you > do all this from the target F12 system. > > As always, be careful! Learn as much about networking, iptables and the > specific failing app as you can. > > Doesn't the failing app's documentation tell you what openings it needs in > the firewall? > > -- > Dale Dellutri First, thanks for the information I will play with that and save it in my notes. Yes I knew what ports it wanted, and I had opened them in the router but it turns out iptables was blocking them. I used the "setup" utility to open ports 5198-5200 and things immediately began to work. But the scheme you describe for determining what is being blocked is what I need. I will experiment with that. Again thanks for the help. Bob -- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
