Fedora Networking :: Add Custom Trusted Services To Firewall?
Jan 20, 2010
I'd like to have an easy way to configure firewall, e.g. eable/disable what mythtv needs, or enable/disable what mediatomb needs. Basically open/close a few tcp and/or udp ports for all interfaces (I have two), or just one of them.
Is there a way to add my own trusted services for the firewall?
Other recommended ways to do that? Or just write a simple shell script?
I was running NFS in my Fedora. I found that I could not mount exported directory in client machine (Fedora ) with firewall enable in NSF server. Even I tried by clicking out all services in firewall (but not disabling it), it did not work. To make it work, I had to disable firewall. Is there any way to do this without disabling firewall?
I have a question about /etc/services file. If I open ports in firewall, do I need to alter /etc/services file in order for certain apps to work?
kpasswd 464/tcp # kpasswd kpasswd 464/udp # kpasswd # Theodore Ts'o <tytso&MIT.EDU> # 465 is illegal used by eMail Server smtps 465/tcp # eMail Server #urd 465/tcp # URL Rendesvous Directory for SSM igmpv3lite 465/udp # IGMP over UDP for SSM # Toerless Eckert <eckert&cisco.com> digital-vrc 466/tcp # digital-vrc digital-vrc 466/udp # digital-vrc
Above example shows if 465 tcp isn't altered, Postfix MTA fails to listen on 465 tcp port. What if there's a bigger span 3000:7000 TCP/UDP, is there a need to alter each line by hand?
I am learning to setup firewall in my home for that i have selected four system(sys1,sys2....sys4) for testing .I have configured sys2 to act as a firewall with two NIC. sys3 and sys4 are inside the firewall . sys1 is not connected to firewall for testing purpose.
the IP assignments are follows :
sys1 : ( fedora, not connected to firewall i am thinking, But i am not sure )
what happened is that sys1(not connected to firewall) can ssh to sys4(connected,inside firewall),since the rules are written not to ssh form sys1 to sys4..
then I came to know whatever the request I give, It directly goes as sys1 --> sys4. Not as sys1-----> sys2(firewall)---> sys4 .and the firewall is not filtering and processing anything for both inbound and outbound (i think it's my mistake some where). the requests are directly going inside without firewall.
i am working with fedora 9 i need to turn on services such as telnet,ftp,dns,nfs,dhcp etc. but the problem is i dont even find xinetd based service when i am giving this command
Code: #chkconfig --list|more nd some command is not working for me as well like
I tried to create trusted connection between two machines (named "master" and "node1") for shared account, but no luck. what I had done are as follows:
1.create user account "tester" in "master" 2.set NFS server configuration to have RW for /home/tester for "node1" 3.create user account "tester" without creating home dir in "node1" with same userID and groupID as the one in "master" 4.create dir "homester" in "node1" and mount to "master" (mount -t nfs master:/home/tester /home/tester).in master node: ssh-keygen -t rsa 5.generate authorized_keys in "node1" (details not shown)
but it is not working, if I don't use home/tester as shared dir, and two machines have their own /home/tester , the trusted connection gets created and scp works fine. can we create trusted connection for shared account, if yes, how and did I do miss anything.
Just spent three whole days barking up the wrong tree, solving Fedora 11 and Fedora 12 boot failures because the correct hypothesis was illogical: installation did not update/modify the initrd.
The first couple of times I installed Fedora 11 on the HighPoint Technologies RocketRaid 2640x4, the installation inserted my "custom" driver module (rr26xx) into the initrd, permanently, so that the system booted off the controller card for which the custom driver was inserted. (I yelled about this success in this thread: [url]
My most recent installs of BOTH F11 and F12 on the RocketRaid failed to properly set up the boot. It turns out that the "rr2640" module I "slipstreamed" into the installation process was *NOT* permanently added to the initrd by anaconda. (F12 gave me "no root device found boot has failed, sleeping forever", on boot; F11 hung also, without such error, I presume, during the init script execution). Because of limited resources and time, I only know for sure the module was missing from the F11 initrd, and am ASSUMING the same was the case with F12.
The only difference between the successful installs and the ones with failed boot is that the successful installs were made on a single-drive (JBOD) mode on the controller; whereas, the failed ones were placed on RAID 5. But, AFAIK, the created logical device for the card is "/dev/sda", in both cases, and the kernel can not distinguish between the two cases (or can it?). Thus, the inconsistency cost me a lot of time, and is still inexplicable to me.
Question: What is the best way to deal with custom drivers, today? There are custom spins, and many tools, like isomaster. Stupid question: Is there a way to modify the initrd inside an installer ISO -- be it for CD/DVD/USBboot drive -- beefing the init RAM disk with whatever modules you'd like, for the boot process (using, say, isomaster)?
And what makes anaconda understand that a module must be added to the initrd ? How can one force anaconda to do so?
How does moving to dracut as the initrd tool affect any/all of the above?
i have to deal with reverse proxy issue and want to access few LAN devices having port 5900 and 9999, what exact steps i have to follow to allow this port in fedora firewall.
How can I make iptables allow my windows client to see my PC / smb shares? When I turn off the fedora firewall it just works fine, but how can I manage smb in a more secure way via iptables to work? Code: iptables -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT But where do I get the correct address from? Will this example allow only 192.168.0.0 (is this a valid IP at all, usable by any PC? ) or anyone in the network (aka 192.168.0.*) to access my share?
The firewall in Fedora 12 seems to block UPnP by default, but opening port 1900 for UDP, as I have seen suggestedes not resolve the problem.have the following three scenarios:Firewall Enabled: Transmission cannot open a port by UPnPFirewall Enabled (1900 UDP allowed): Transmission cannot open a port by UPnPFirewall Disabled: Transmission opens a port via UPnP fineAny ideas? Yes, the port that I'm trying to open is also allowed. Router is a Linksys BEFSR41 v4.3, should you care
Even though I've set up HTTPS to be trusted, it still blocks my school's https site: "mnsu.edu/eservices" same with SAMBA and SSH.
If enter the GUI and authenticate as root, change anything and apply, then exit: it works fine and so does SAMBA. However, after restarting, everything stops working again.
yet secure firewall configuration that doesn't require any login or headaches.
Since I installed FC11 I can't get vpnc to work (I always getno response from target").Also I can't ping any external IP even with the firewall disabled.What I see strange is that I had the same configuration in FC10 and the router configuration seems okay to me:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.64.64.64 * 255.255.255.255 UH 0 0 0 ppp0
I want to write a custom rule to allow all connections to the ip addresses on my local network (192.168.2.2 through ...99) but I don't know how. I know adding a custom rule asks me to read a file and put it in "iptables" format, but I don't know how...
I am new with IP tables stuff and i have a problem....i have a pc Contain a fedora OS and i want to make a small network (4 PCs Contain XP OS) and using the pc of fedora OS as a firewall i want to Prevent the ping (i think it called(ICMP)) in the privat network and prevent one of the PCs from Browsing internet(prevent port 80 and 81 as i think) and i still don't know how to make the internet go Through the firewall to the private network...
I'm working on setting up access for our developer via Telnet, we are on a local network behind a physical firewall. I set up the standard Telnet service for Fedora15 and from localhost I can login via any user and root.... However I cannot login from another terminal on the LAN, even though I can ping and FTP to the fedora15 box. I added the firewall rules for telnet, that did not work, so I disabled the firewall, still cannot get a connection via port 25. I feel either port 25 is closed in another manor or the telnet is restricted to the localhost.
Also I cannot login to root to configure the Firewall Desktop GUI, only standard users, is this an issue? I also cannot login to the console as root even though I use the correct password.I can only su to root and sometimes it is a PITA. There must be some settings to clear these issues up...
So I want to get mount/umount option under right click services menu. I went to Dolphin -> Settings -> Configure Dolphin -> Services -> Download New Services and from there I installed KDE CDEmu Emulator and MountISO. But neither of them is showing up in actual context menu. Neither in Dolphin -> Settings -> Configure Dolphin -> Services for that matter. I tried to install them as normal user and as a root. I went to have a peak in /usr/share/kde4/services/ServiceMenus/ but they aren't there as well... It's just me or lots of things seems to be not quite working in 11.3?
I have a repository that isn't signed (and would be a pain to get the administrator to sign)need to use APT::Get::AllowUnauthenticated to install anything from this. However, packages from this repository may have dependencies that I want to download from the main Debian repository and I don't want to install these if can't be authenticated.Is there any way to configure apt-get to allow packages to be unauthenticated from one repository, but forces authentication for all others or am I forced to manually download the dependencies and install myself in this scenario?
I have a mail script that has been running on my website for several years. One problem I had with the script was when a bad address was put in, the mail was rejected to the server rather than to the sender. I have now recently added a fifth parameter to the mail script using the -f sendmail option to set the return path.
The user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a 'X-Warning' header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users. I do have the 'X-Warning' header on e-mails sent with this script and have asked my server administrator for some help in adding "the user that the Web server runs as" as a trusted user.
I've installed the ssh server on my Ubuntu desktop and the very first time I accessed the server from my laptop, it got a message asking me whether to permanently add the key of the server. After I added this, it gave me a message saying that the key had been permanently added. My question is how do I remove this key? I just want to know how to do this because I'm going to disable password based logins and I want to start anew.
I'm trying to access a Verisign signed site [URL] and getting a certificate not known error when I do. Do I really need to import Verisign? If so, how?
I am trying to implement a payment gateway, I have got a crt files from them, i have to add them into our trusted list so that we can establish a SSL handshake.i.e "Importing an SSL certificate into keystore" I dont have any idea on this one, can any one help me on this, my server is a ubuntu and runs apache as webserver.I am trying to use this in a soap request..An error occurred during a connection to ws.payconnexion.com:1401.
SoapFault exception: [HTTP] Could not connect to host in /var/domains/mywebroot/file/testpaymentmine.php:71 Stack trace:
For a project that I have been assigned to, I need to send emails to a business partner(business_partner.com) from one production server. However, my emails neither reach their destination nor bounce back to me.
Working with our business partner's IT support, the following error was discovered in their maillogs:
Quote:
Further analysis by my IT support shows that emails are successfully sent out ("Message accepted for delivery"):
Quote:
The app I coded is not using a public internet email address (e.g. me@hidden_domain_name.com) to send these notifications.
Instead, it uses an intranet email address (the server's where my code resides: user_name@servername.hidden_domain_name.com).
We created an alias but it made no change. Would adding my public internet email address to "trusted-users" file (we use sendmail)
I am unable to get a key from keys.gnupg.net using: Code: gpg --keyserver keys.gnupg.net --recv 886DDD89 the above command returns
Code: gpg: requesting key 886DDD89 from hkp server keys.gnupg.net gpgkeys: HTTP fetch error 7: couldn't connect to host gpg: no valid OpenPGP data found. gpg: Total number processed: 0
EDIT: Correction: was able to get "A" key; however, its shows as Code: requesting key 886DDD89 from hkp server keys.gnupg.net gpg: /home/mrmunkey/.gnupg/trustdb.gpg: trustdb created gpg: key 886DDD89: public key "deb.torproject.org archive signing key" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) and a search shows:
Code: W: GPG error: [URL] lucid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 74A941BA219EC810 I would rather make sure and get it right. I can see some keys located here at the tor project site. Another issues, I have been having issues with gpg keys for at least a month now.