sesquipedality | (no subject)

You're viewing

sesquipedality's journal
Create a Dreamwidth Account Learn More

Reload page in style: site light

Ill. Firewall steadfastly refusing to accept incoming connections, even when told to. Since it's not logging the rejections, I can't even find out which part of the config is wrong. About to venture out of house in search of honey. Still hoping to be OK for cinema tonight. Illness has apparently caused highly terse writing style.

Flat | Top-Level Comments Only

From:

sesquipedality.livejournal.com

The problem is that I don't trust myself to write good firewall rules. I'm not a firewalling expert and it makes my brain hurt. I can cope with things on the level of "block this port" but I've never been 100% happy with any iptables firewall I've created, because I've never understood iptables well enough to be certain I was blocking what I ought to.

It hasn't helped that I've spend most of yesterday and today chasing a red herring that was nothing to do with the firewalling. I'm not even sure that the problem with the vpn software I use is firewall related either (it's just the most obvious thing that's changed since it stopped working). The vpn software is hand-rolled by technogods, and is thus a complete black box to me, and I have no real clue when it comes to debugging problems with it. All I can do is sit here rather lamely and go "but it doesn't work", and thus earn the derision of said techogod, which I'm not really up to coping with in my current ill state.

From:

sesquipedality.livejournal.com

Which is not to say I'm ungrateful for the help you and Richard have offered here. On the contrary, I'd have had great difficulty eliminating the firewall as a cause of my oddness without it. Just that I'm somewhat at a loss, since I seem to have no options that don't involve a large amount of work for possibly no benefit and I'm ill dammit, and am therefore having a grump. I honestly hope it doesn't seem like the grump is targetted at you two and apologise if it came over that way.

From:

wimble.livejournal.com

Nah, it didn't come over as being directed at us :)

Given that I don't use FireHOL, I'm unable to debug it directly. OTOH, I can (or could: I'm rusty) write IPtables directly, so I might be able to tell you what's wrong, if I had the whole set of rules. And then we'd have to work out what FireHOL config was setting that up. Can't think of anything else to usefully suggest without access to the machine :)

From:

timeplease.livejournal.com

The vpn software is hand-rolled by technogods, and is thus a complete black box to me, and I have no real clue when it comes to debugging problems with it.

It's probably a bad idea at this point (as in, don't change things at random until you know what went wrong), but you could try the other hand-rolled vpn software...

In protocol terms it places fewer requirements on a firewall than udptunnel; it only requires UDP connectivity on one fixed (incoming) port and doesn't need ssh, an account on the firewall machine for peer sites, etc.

I believe it's easier to get working than udptunnel, but I expect I'm very biased. Other users might give you a more useful opinion.