Solved

firewall rules for syncing with pocketpc via synce

Posted on 2004-04-18
7
422 Views
Last Modified: 2012-05-04
Hi,

I have a firewall on my machine (with fedora) with a custom firewall.
how can i open up my firewall so I can connect with my pda?
The messages I get are
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0

so i need to open up port 5679 en 5678 (i have found that in the help of synce) But how can I do that?
0
Comment
Question by:tjikkun
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10856648
Assuming that 192.168.131.102 is your pda it would be 1047/TCP that your firewall needs to allow as an inbound connection. That can be done by a executing a rule like:

iptables -a INPUT -d 0/0 -p tcp --dport 1047 -j ACCEPT

Once that rule is in place you can save it for the next boot with 'service iptables save'
0
 

Author Comment

by:tjikkun
ID: 10857206
Sorry, I fogot to tell. I was allready trying stuff, so I had something opened up. When I have everything closed, I get:

IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=0 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=256 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=512 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0

So I had opened up something for this,
$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
(is this the correct way to do this? ($PDAIF = ppp0, $UNIVERSE = 0.0.0.0/0)

After this the messages in my first post showed. So this is a reply, and I guess i need an ESTABLISHED,RELATED rule of some kind. But I know very little of this so I hope you can help me with that rule.

Thanks for your reply,

Sander
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10857571
You mean this rule:
$IPT -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

But this doesnt help you im afraid.

>$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
This means that you have opened everyport of your internet interface.
This is not good. Remove this rule and input the rule instead:
iptables -a INPUT -p tcp --dport 5679 -j ACCEPT


>IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF >PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
This is a out going packet, to open up a port in the output chain use this rule:
iptables -a OUTPUT -p ALL -i ppp0 -j ACCEPT

I asume the ip ppp0 is the interface you are trying to conenct to, other wise change this tio the correct one.

I dont know what ports the pocketpc uses so just give me the ports and i will give you all the rules you need to connect.

Try it first if it doesnt work just fallback with "service iptables restart" when it works OK then save with "service iptables save"

/Rob



0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:tjikkun
ID: 10857733
>>$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
>This means that you have opened everyport of your internet interface.
>This is not good. Remove this rule and input the rule instead:
>iptables -a INPUT -p tcp --dport 5679 -j ACCEPT

well i have -i ppp0 so I thought that would only allow everything from the PDA interface. Is there a security issue with this? With your rule the port is accessible from the internet, with mine it is not as far as I understand. of course I think I could do:
$IPTABLES -A INPUT -i $PDAIF --dport 5679 -p tcp -j ACCEPT
but now my question:
What is the correct rule to let responses to this through?
0
 
LVL 8

Accepted Solution

by:
da99rmd earned 125 total points
ID: 10858259
Sry, didnt se that ppp0 was the PDAIF.
then the
$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
will work perfect for you.
But you have to add the following rule to make sure the output goes trough as you want.
$IPTABLES -A OUTPUT -p ALL -i $PDAIF -j ACCEPT

do a iptables -L and post the output here an i will examine it.

/Rob

0
 

Author Comment

by:tjikkun
ID: 10858534
Rob,

thank you very much.
You had one error in your rule:
$IPTABLES -A OUTPUT -p ALL -i $PDAIF -j ACCEPT
i made that
$IPTABLES -A OUTPUT -p ALL -o $PDAIF -j ACCEPT
and now it seems to work

Sander
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10859267
Sry thats correct.

/Rob
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question