(from my subscribed address this time) On Friday 17 September 2004 09:19, Maxim A Belushkin wrote:
No, my question is *much* simpler, sorry :)
The 4 steps of configuring the firewall with Yast: Step 1: select interface. I have no trusted net, no "internal" interface. So eth0 is the only one, and it's set to external. Step 2: Services. Additional services is set to: 631.
This is what's causing my confusion. It drops UDP packets destined for port 631. And in fact, in that dialog box it says "TCP services".
What am I missing in the Yast firewall setup tool? :P I've normally set iptables rules by hand, but decided to try the Yast setup, and... I feel I'm missing a lot of things :)
So my question amounts to: can the Yast tools do it? it's a very simple rule, seriously! Or do I need to insert it by hand? In which case I might as well trash all the rules Yast set up in there and put in my own standard set.
No, the YaST interface is too simple for that. I usually click through yast to make sure that the Firewall is started, then I edit /etc/sysconfig/SuSEfirewall2 by hand. It is a very well structured file and certainly loads better than playing with IPTables directly. All the rules you originally create in YaST will still be there abnd YaST will not autotrash anything you change. Remember to rcSuSEfirewall2 restart when you are done. Barry
barrulus wrote:
------------------------------------------------------------------------
On Friday 17 September 2004 09:05, Maxim A Belushkin wrote:
a print server on the network is bcasting queue names to UDP port 631. SuSE firewall seems to only have exceptions for TCP ports, and not UDP. Any "clean" workaround for this avoiding digging into the iptables rules the firewall creates?
???
You can set up trusted nets with UDP, allow interfaces to listen with UDP, forward UDP traffic and masquerade UDP traffic?
When you say "exceptions" what do you mean? Do you want the local CUPS server to be listening on that port to pick up the broadcasts, or do you want the broadcasts to be forwarded into your LAN from your DMZ?