Re: migration to fc-1 questions

[Chuck Campbell <campbell accelinc com>]

I've intentionally snipped our earlier dialogue.

You had asked to see the iptables -L -n for this system.  I've still got
other upgrade problems, so we are still running rh-7, kernel 2.2.16-22 and
ipchains.

Presently ipchains -L -n gives this:

[root watchdog /root]# ipchains -L -n
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     tcp  -y----  0.0.0.0/0            0.0.0.0/0             * ->   27500
ACCEPT     tcp  -y----  0.0.0.0/0            0.0.0.0/0             * ->   22
ACCEPT     all  ------  172.17.2.0/24        0.0.0.0/0             n/a
ACCEPT     all  ------  0.0.0.0/0            0.0.0.0/0             n/a
ACCEPT     udp  ------  216.0.152.10         0.0.0.0/0             53 ->   *
ACCEPT     udp  ------  209.49.5.10          0.0.0.0/0             53 ->   *
REJECT     tcp  -y----  0.0.0.0/0            0.0.0.0/0             * ->   *
REJECT     udp  ------  0.0.0.0/0            0.0.0.0/0             * ->   *
Chain forward (policy REJECT):
Chain output (policy ACCEPT):


Based on the /etc/sysconfig/ipchains file containing this:
:input ACCEPT
:forward REJECT
:output ACCEPT
# ThinAnywhere
-A input -s 0/0 -d 0/0 27500 -p tcp -y -j ACCEPT
#-A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
# Allow all from internal network 172.17.2.0/24
-A input -s 172.17.2.0/24 -d 0/0 -j ACCEPT
# Allow all from this local machine
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
# Allow all from internal network on eth1
#-A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
#
# Replace DNS_IP_ADDR with IP of DNS server in /etc/resolv.conf
#
-A input -s 216.0.152.10 53 -d 0/0 -p udp -j ACCEPT
-A input -s 209.49.5.10 53 -d 0/0 -p udp -j ACCEPT
#
# Reject everything else
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
-A input -s 0/0 -d 0/0 -p udp -j REJECT

to which I added this:
# ssh
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT

in an attempt to get ssh working on this box.  Once I started sshd, ssh
connections now work.

The /etc/xinetd.d/telnet file appears to be on, as does ftp, rlogin, and rsh
there.  I get no connection from telnet, ssh or ftp. (see below)
When I try rsh or rlogin, I simply get no response.
Thinanywhere, and ping both work as expected.

I thought I understood this firewalling stuff, but I'm not so sure what is 
happening here.



{campbell}51: % telnet watchdog
Trying 172.17.2.242...
telnet: connect to address 172.17.2.242: Connection refused
{campbell}52: % ftp watchdog
ftp: connect: Connection refused
ftp> bye

Those responses indicate to me that teh firewall is NOT blocking these types
of connections, but that my configuration is.  The configuration of xinetd
seems to indicate otherwise.

Color me baffled...


{campbell}53: % ping watchdog
PING watchdog (172.17.2.242) 56(84) bytes of data.
64 bytes from watchdog (172.17.2.242): icmp_seq=1 ttl=255 time=0.143 ms
64 bytes from watchdog (172.17.2.242): icmp_seq=2 ttl=255 time=0.150 ms
64 bytes from watchdog (172.17.2.242): icmp_seq=3 ttl=255 time=0.133 ms

--- watchdog ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.133/0.142/0.150/0.007 ms


Lastly, upon this discovery, I have now added disable = yes to 
/etc/xinetd.d/telnet, rsh and rlogin 


-- 
ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  1(713)993-0671 ph.
 2401 Fountain View |   and Integrated Interpretation   |  1(713)993-0608 fax
     Suite 320      |                                   |
 Houston, TX, 77057 |          Chuck Campbell           | campbell accelinc com
                    |  President & Senior Geoscientist  |

     "Integration means more than having all the maps at the same scale!"