Topic: Main Menu Contrib Feedback: Masq Manager

[Muzo]

Hi all,

New Stuff in these revisions :
- Adding Open port Panel
- Adding Deny Port Panel
- Corrected a bug when removing an antispoofing rule

To update, remove old contribs from your sme box.
rpm -e e-smith-masq-manager-0.1.

And install new one.

Contribs link : http://no.longer.valid/mylinks/singlelink.php?cid=54&lid=372

This thread is for feedback specificaly related to this How To & Contrib.
Reports of success are welcome, as well as any problems and suggested improvements.

[Muzo]

I have a feedback, it seems port opening didn't work.
Can some one confirm it, please?

[arnoldob]

I read the readme file in your masq manager contrib. I'm still not clear about the instructions. I have never used the packetfilter or the masq-manager on my SME 6.01 box. Do I need to install both?

[Muzo]

Hi,

packetfilter rpm is only for SME 5.6.

[arnoldob]

Thanks Munzo, got it installed looks like a great contrib.

[duncan]

Hi, Looks good.

However - I added a port opening rule for openvpn UDP 5000. It opened TCP 5000.

denylog all -- anywhere !10.0.0.11
ACCEPT tcp -- anywhere anywhere tcp dpt:5000
ACCEPT tcp -- anywhere anywhere tcp dpt:auth

Regards Duncan

[8stargen]

Can i use this contrib to block a port SME has opened?

What I want to do is modify the IPTables so that port 22 is only accessable from one external IP. So I can SSH from home but to everyone else on the internet the port appears closed? Is that easy or tough?

Cheers,

Tim

[smeghead]

Heh, 8stargen, whay not VPN to your server and then run whatever you want cos once authenticated you are treated as a local user.

Port 22 is then always closed!

[8stargen]

thanks smeghead,

I gave VPN a whirl. Apart from the IP addresses on the remote network conflicting with IP's on my network it worked great. Once question though....

Wouldn't leaving a port open for VPN be the same as leaving a port open for SSH? They are both secure, both require a username and password, and both give you pretty much unlimited access to the server.

Guuss I'm going to have to look in to ip tables. I know exactly what I want... I want to restrict port 22 to XXX.IP & deny everyone else. Just dont know they syntax.

What do you reckon?

Cheers,

8 Star General

[duncan]

On its own a PPTP vpn gives you no access to the server aside from mail etc.

[smeghead]

Sorry Duncan, gotta disagree with ya here.  I regularly VPN into an SME box and the using Remote Desktop Access, VNC, etc connect to my clients internal servers.  If any of the workstations on the internal network are insecurely setup they are now avaliable to me as I am now part of this network (I know the servers are secure as I configured them in the first place ).

I acheive the single open port option by using a good router infront of the SME box that provides this option as a rule.

Contray to many of the post here I ALWAY use a router infront of an SME and to date find it a superior setup as:

a)  only those ports I want opened to the server are actually open so at most a server has to deal with crap from about 7 ports
b)  a double NAT'd setup is just a little bit harder to mess with
c)  when combined with the SME box it gives a finer grain of control over how the connection functions
d) the 4 port switch on the router allows me to run a DMZ of sorts if I need to
d)  router itself handles the DSL connection so one less service required on the SME

To date I have had no probs with VPN access like many have discussed tho I only use W2K or WXP to connect.

[duncan]

Sorry Duncan, gotta disagree with ya here.  I regularly VPN into an SME box and the using Remote Desktop Access, VNC, etc connect to my clients internal servers.  If any of the workstations on the internal network are insecurely setup they are now avaliable to me as I am now part of this network (I know the servers are secure as I configured them in the first place ).

I acheive the single open port option by using a good router infront of the SME box that provides this option as a rule.

Contray to many of the post here I ALWAY use a router infront of an SME and to date find it a superior setup as:

a)  only those ports I want opened to the server are actually open so at most a server has to deal with crap from about 7 ports
b)  a double NAT'd setup is just a little bit harder to mess with
c)  when combined with the SME box it gives a finer grain of control over how the connection functions
d) the 4 port switch on the router allows me to run a DMZ of sorts if I need to
d)  router itself handles the DSL connection so one less service required on the SME

To date I have had no probs with VPN access like many have discussed tho I only use W2K or WXP to connect.

Not disagreeing with any of this. What I said was - That just running a VPN will not give root access to the server. You still need to run a ssh session across the VPN to gain access.

8stargen indicated that running a VPN would give "unlimited access" to the server - which is incorrect. Pedantic perhaps - but there are a lot of newbies here that might not pickup on the difference.

My preference is to run a VPN - and here we use openvpn which has the facility to only accept connections from defined IP adresses. Easier than trying to mod masq for PPTP.

[Muzo]

Hi all,

Sorry, i coming back from holidays.

No my contribs didn't close port! It deny port: forbid acces from your lan to internet to a specific port.

And if you open a port with this contrib you know how to close it