Re: {bb} BB and iptables firewall

[Henrik Storner <henrik-bb@hswn.dk>]

In <db4f0b3e04110307283a996905@mail.gmail.com> Hyder Anwar <hyder.anwar@gmail.com> writes:

>When I turn on the iptables firewall, do I have to enable rules for
>the INPUT policy to accept traffic from the ports that I am monitoring
>(Example Allow incoming SSH from the machines that I am testing for
>the machines?).

What machine do you enable the firewall on ? The BBDISPLAY server, 
the BBNET server, or a box that you have installed the BB client
software on ?

On the BBDISPLAY server, you must allow incoming connections to
the Big Brother port, TCP port 1984.

On the BBNET server, you must allow outbound connections to all of the
hosts you test network services for (those that have smtp, ftp, ssh,
http etc. in the bb-hosts file). Plus you must allow outbound
connections from the BBNET server to the BBDISPLAY server on 
tcp port 1984.

On BB clients, you must allow them to make an outbound connection
to the BBDISPLAY server on tcp port 1984.

In all cases - establishing a connection requires traffic to pass
both ways. So use iptables' "state" matching rules, or make sure
you allow traffic to go both ways.

>Secondly, which port do I open for the connectivity test?

None. ping uses ICMP packets type 0 and 8 (echo request and
echo reply, respectively).

> I thought that it was a simple ping for the connectivity test, but
>when I create a rule to allow all icmp from anywhere, the
>connectivity test goes to purple.

Make sure you allow both the outbound request, AND the incoming reply
packet. First rule of firewall configuration: If it doesn't work,
check the logs (you DO have an "iptables -j LOG" for the traffic you
discard, right ?)


Henrik
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=
To unsubscribe from this list, or to subscribe to the bb-digest list
send e-mail to mailto:majordomo@bb4.com with unsubscribe bb -and/or-
subscribe bb-digest in the BODY of the message.