Re: Allowing network printing through Arno's IP Tables
On Wed, 29 Dec 2010 15:43:17 +0000, AG wrote:
> On 28/12/10 15:02, Camaleón wrote:
>> I'm not very good at "firewalling" but I guess you will have to put
>> your internal network inside the "trusted" side. By performing a quick
>> read on the Arno's IP tables manual
>> ("/usr/share/doc/arno-iptables-firewall/ README.gz") I suppose it
>> should be set using "FULL_ACCESS_HOSTS" variable. If that works, then
>> you can fine-tune the rule and allow access only to the desired host in
>> the required port.
> In following your second suggestion - I already reviewed that file prior
> to posting my query. I am a little confused though because my machine
> is single-homed because it only has one NIC. However, it is through
> this NIC that the client machine must access the print server, so it is
> a single-homed machine, but serving one service to the LAN while
> accessing the (outside) Net.
Normally, firewalls use two (or three, if we count the dmz) denominations
for their "zones": "internal" zone is the one you use for your lan and
uses to be "safe" and "external" zone is where you have the dsl router
connected. This is the common scenario when there are at least two nic
interfaces and you "divide" your network to get a more secure setup.
But usually, home users only have one nic available and this can be setup
as "external" (insecure/protected/all ports closed by default) or
"internal" (rules are more relaxed). It seems that the former is what is
> In the actual firewall.conf file, this situation becomes even more
> confusing, because it notes:
> "Specify here your internal network (LAN) interface(s). Multiple(!)
> should be space separated. Remark this if you don't have any internal
> interfaces. Note that by default ALL traffic is accepted from these
> But this is not happening - the traffic is being blocked. Now I wonder
> if this is because the eth0 (i.e. ext_if) is seeing internally
> originating traffic as originating from outside, because it is sharing
> the same NIC?
> Any other thoughts because I am (understandably) quite leery about
> adjusting settings without a full understanding of the implications of
> doing so.
Try to set the variable I said on my previous post, adjust it to fit your
needs and reload the firewall service, then test Cups again. Basically,
what this variable should do is telling iptables "hey, "eth0" manages my
lan traffic so reject all the external connections (from remote-to-lan)
but relax the rules within the internal one (lan-to-lan)."
Hint: "readme" file has a "quick setup" section with some useful tips for
each usage scenario.