Solved

firewall rules for syncing with pocketpc via synce

Posted on 2004-04-18
7
448 Views
Last Modified: 2012-05-04
Hi,

I have a firewall on my machine (with fedora) with a custom firewall.
how can i open up my firewall so I can connect with my pda?
The messages I get are
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0

so i need to open up port 5679 en 5678 (i have found that in the help of synce) But how can I do that?
0
Comment
Question by:tjikkun
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 10856648
Assuming that 192.168.131.102 is your pda it would be 1047/TCP that your firewall needs to allow as an inbound connection. That can be done by a executing a rule like:

iptables -a INPUT -d 0/0 -p tcp --dport 1047 -j ACCEPT

Once that rule is in place you can save it for the next boot with 'service iptables save'
0
 

Author Comment

by:tjikkun
ID: 10857206
Sorry, I fogot to tell. I was allready trying stuff, so I had something opened up. When I have everything closed, I get:

IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=0 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=256 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0
IN=ppp0 OUT= MAC= SRC=192.168.131.201 DST=192.168.131.102 LEN=64 TOS=0x00 PREC=0x00 TTL=128 ID=512 DF PROTO=TCP SPT=1025 DPT=5679 WINDOW=32768 RES=0x00 SYN URGP=0

So I had opened up something for this,
$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
(is this the correct way to do this? ($PDAIF = ppp0, $UNIVERSE = 0.0.0.0/0)

After this the messages in my first post showed. So this is a reply, and I guess i need an ESTABLISHED,RELATED rule of some kind. But I know very little of this so I hope you can help me with that rule.

Thanks for your reply,

Sander
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10857571
You mean this rule:
$IPT -A INPUT -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT

But this doesnt help you im afraid.

>$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
This means that you have opened everyport of your internet interface.
This is not good. Remove this rule and input the rule instead:
iptables -a INPUT -p tcp --dport 5679 -j ACCEPT


>IN= OUT=ppp0 SRC=192.168.131.102 DST=192.168.131.201 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF >PROTO=TCP SPT=5679 DPT=1047 WINDOW=5840 RES=0x00 ACK SYN URGP=0
This is a out going packet, to open up a port in the output chain use this rule:
iptables -a OUTPUT -p ALL -i ppp0 -j ACCEPT

I asume the ip ppp0 is the interface you are trying to conenct to, other wise change this tio the correct one.

I dont know what ports the pocketpc uses so just give me the ports and i will give you all the rules you need to connect.

Try it first if it doesnt work just fallback with "service iptables restart" when it works OK then save with "service iptables save"

/Rob



0
Application Discovery Service in AWS

In the era of the cloud, customers migrating away from their existing on-premise infrastructure. This requires lots of planning, strategies, and effort to identify their existing resources and determine how best to migrate.  Datacenter migrations happen in four phases -

 

Author Comment

by:tjikkun
ID: 10857733
>>$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
>This means that you have opened everyport of your internet interface.
>This is not good. Remove this rule and input the rule instead:
>iptables -a INPUT -p tcp --dport 5679 -j ACCEPT

well i have -i ppp0 so I thought that would only allow everything from the PDA interface. Is there a security issue with this? With your rule the port is accessible from the internet, with mine it is not as far as I understand. of course I think I could do:
$IPTABLES -A INPUT -i $PDAIF --dport 5679 -p tcp -j ACCEPT
but now my question:
What is the correct rule to let responses to this through?
0
 
LVL 8

Accepted Solution

by:
da99rmd earned 125 total points
ID: 10858259
Sry, didnt se that ppp0 was the PDAIF.
then the
$IPTABLES -A INPUT -i $PDAIF -d $UNIVERSE -j ACCEPT
will work perfect for you.
But you have to add the following rule to make sure the output goes trough as you want.
$IPTABLES -A OUTPUT -p ALL -i $PDAIF -j ACCEPT

do a iptables -L and post the output here an i will examine it.

/Rob

0
 

Author Comment

by:tjikkun
ID: 10858534
Rob,

thank you very much.
You had one error in your rule:
$IPTABLES -A OUTPUT -p ALL -i $PDAIF -j ACCEPT
i made that
$IPTABLES -A OUTPUT -p ALL -o $PDAIF -j ACCEPT
and now it seems to work

Sander
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10859267
Sry thats correct.

/Rob
0

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question