Re: Allowing network printing through Arno's IP Tables

To: debian-user@lists.debian.org
Subject: Re: Allowing network printing through Arno's IP Tables
From: Camaleón <noelamac@gmail.com>
Date: Wed, 29 Dec 2010 16:17:18 +0000 (UTC)
Message-id: <[🔎] pan.2010.12.29.16.17.17@gmail.com>
References: <[🔎] 4D19D131.5080807@gmail.com> <[🔎] pan.2010.12.28.15.02.22@gmail.com> <[🔎] 4D1B5715.6090401@gmail.com>

On Wed, 29 Dec 2010 15:43:17 +0000, AG wrote:

> On 28/12/10 15:02, Camaleón wrote:

>> I'm not very good at "firewalling" but I guess you will have to put
>> your internal network inside the "trusted" side. By performing a quick
>> read on the Arno's IP tables manual
>> ("/usr/share/doc/arno-iptables-firewall/ README.gz") I suppose it
>> should be set using "FULL_ACCESS_HOSTS" variable. If that works, then
>> you can fine-tune the rule and allow access only to the desired host in
>> the required port.

(...)

> In following your second suggestion - I already reviewed that file prior
> to posting my query.  I am a little confused though because my machine
> is single-homed because it only has one NIC.  However, it is through
> this NIC that the client machine must access the print server, so it is
> a single-homed machine, but serving one service to the LAN while
> accessing the (outside) Net.

Normally, firewalls use two (or three, if we count the dmz) denominations 
for their "zones": "internal" zone is the one you use for your lan and 
uses to be "safe" and "external" zone is where you have the dsl router 
connected. This is the common scenario when there are at least two nic 
interfaces and you "divide" your network to get a more secure setup.

But usually, home users only have one nic available and this can be setup 
as "external" (insecure/protected/all ports closed by default) or 
"internal" (rules are more relaxed). It seems that the former is what is 
happening here.

> In the actual firewall.conf file, this situation becomes even more
> confusing, because it notes:
> 
> "Specify here your internal network (LAN) interface(s). Multiple(!)
> interfaces
> should be space separated. Remark this if you don't have any internal
> network
> interfaces. Note that by default ALL traffic is accepted from these
> interfaces."
> 
> But this is not happening - the traffic is being blocked.  Now I wonder
> if this is because the eth0 (i.e. ext_if) is seeing internally
> originating traffic as originating from outside, because it is sharing
> the same NIC?
> 
> Any other thoughts because I am (understandably) quite leery about
> adjusting settings without a full understanding of the implications of
> doing so.

Try to set the variable I said on my previous post, adjust it to fit your 
needs and reload the firewall service, then test Cups again. Basically, 
what this variable should do is telling iptables "hey, "eth0" manages my 
lan traffic so reject all the external connections (from remote-to-lan) 
but relax the rules within the internal one (lan-to-lan)."

Hint: "readme" file has a "quick setup" section with some useful tips for 
each usage scenario.

Greetings,

-- 
Camaleón

Reply to:

Follow-Ups:
- Re: Allowing network printing through Arno's IP Tables
  - From: AG <computing.account@googlemail.com>

References:
- Allowing network printing through Arno's IP Tables
  - From: AG <computing.account@googlemail.com>
- Re: Allowing network printing through Arno's IP Tables
  - From: Camaleón <noelamac@gmail.com>
- Re: Allowing network printing through Arno's IP Tables
  - From: AG <computing.account@googlemail.com>

Prev by Date: Does anybody know a PeerGuardian like app?
Next by Date: Re: saytime kills sound
Previous by thread: Re: Allowing network printing through Arno's IP Tables
Next by thread: Re: Allowing network printing through Arno's IP Tables
Index(es):
- Date
- Thread