Topic: Is this port forwarding or something else???

[meleehunt]

I have the standard port 3128 proxy and it works fine.

Now I have a service that someone wants to reach from inside my LAN on port 9008 on the internet at a specific internet address.   Its just an outgoing service and they are initiating inside the lan and not outside  back  to me,.  Is this something I set up in port forwarding?  I  don't want the internet to  be able to reach me , just my folks to reach it.  Thank you.

[meleehunt]

I am lead to believe that SME does not block any outgoing traffic yet      when the response to the program comes back it appears to be blocked by the SME server.  Are the squid logs the one I need to look in to see if that is happening? A web page can reach a wsdl on the site, but a web service from the same box shows a block to the same port and site.

confusing.

[janet]

meleehunt

I am lead to believe that SME does not block any outgoing traffic...

yes

...yet when the response to the program comes back it appears to be blocked by the SME server.

Yes incoming ports are blocked except those open by default or ports associated with services you have enabled eg, mail, imap, ssh etc.
So you need to determine what the incoming traffic is, what port & protocol, and use the port forwarding panel to forward those return responses to the initiating "client or workstation" on your network. 

Look at iptables log files.

A web page can reach a wsdl on the site, but a web service from the same box shows a block to the same port and site.

Yes confusing to us too. You are better off telling us exactly what it is that you are doing.
Maybe someone has experience with that already & can advise you.
At present you are making us guess.

[mmccarn]

Apologies in advance for the lengthy reply...

Some services (FTP, PPTP, H323 video, and many online games, for example) work like this:
- Client (originator) initiates connection to remote server
- Firewall passes outbound traffic
- Remote server initiates a new connection back to the originator

Without special configuration or consideration, the new return connection is blocked by the firewall and the connection fails.
UPnP / NAT-PMP are/were an attempt to allow these return connections automatically (whose poor implementation resulted in dozens of infected Windows systems at my clients when Windows first started supporting UPnP...)

There are usually two ways for these services to work:
1) The firewall includes special rules that recognized the outbound initiation and configured an automatic rule to allow the expected return traffic to be sent from the specific remote server back to the specific local client.
2) The service (sometimes in the remote server, sometimes in the local client) can be configured to use a specific port range for replies, and a manual rule can be configured in the firewall to forward that range back to the client / originator.

Method 1 depends on the firewall, of course, and is hard to control after the fact.  SME server (as of v7.1, the last time I researched this in depth...) includes rules for FTP and PPTP, but not H323, for example.  "Gaming" (I believe) include rules to allow the return traffic. UPnP is not supported.

Method 2 requires control of both ends (originator, firewall, and remote server), requires that the remote service can actually be configured to use a finite port range for replies, and only solves your problem for one LAN client at a time.

A third method would be to configure your firewall to treat the originator/client as the DMZ host.  Horribly insecure, but there you are...

The last option I can think of would be:
1) Establish a PPTP tunnel from the LAN client to your SME - with the LAN client configured to "use remote server as default gateway" (the default in Windows, not the default for anyone else)
2) Then run your port-challenged program.
(I don't know if this will work, it's just an idea).

More specific advice would require knowledge of the specific service your trying to contact on port 9008.  Begin by searching google for "firewall rules for that service, eg:
"firewall rules asheron's call"
"firewall rules ogs-server"
or
"iptables asheron's call"
"iptables ogs-server"
...
(you get the idea).