Port forwarding and a few other things

[eDRoaCH]

I am moving to ebox from Ipcop. I did it from the install cd (though some day I hope to have a full fleged ubu install)

Anyway, I just cant get port forwarding working.
I have added static dhcp addresses for 2 of my computers, one will do BT the other webguide, for the sake of simplicity lets stay with webguide

I added a service called Webguide4 thats TCP&UDP ports 1128:1129 and I have tried selecting and deselecting internal.
I then created an object and member with the computer name and its information (the subnet mask threw me off for a bit, I am used to /24 not /32 (the host))

Then went to firewall->Packet filter->external networks to internal networks and allowed the service to the correct object. no dice. Then i tried it by IP (the object is still there regardless) no dice.
Read the manual, and it said I had to do port redirects, which i tried, no dice. There doesnt even seem to be a section on services in the manual.

I just cant seem to get this right- what am I doing wrong?

Other stuff:
When I first set it up, my old linux laptop was the client. It surfed the web, etc fine. When I plugged my whole network in I had to go to packet filter->Filtering rules for internal networks and add an any/any rule. Why?

Other things I would really like to see/miss from Ipcop:
1. Dynamic DNS update support (I really miss this)
2. HASP virus filtering on http (was an addon to Ipcop)
3. Web cache
4. Full lamp

But overall eBox is far more clean, streamlined and professional than Ipcop (or astaro before it) I am really liking it, and (with some help) hope to get fully up and running soon!

[sixstone]

I am moving to ebox from Ipcop. I did it from the install cd (though some day I hope to have a full fleged ubu install)

Anyway, I just cant get port forwarding working.
I have added static dhcp addresses for 2 of my computers, one will do BT the other webguide, for the sake of simplicity lets stay with webguide

I added a service called Webguide4 thats TCP&UDP ports 1128:1129 and I have tried selecting and deselecting internal.
I then created an object and member with the computer name and its information (the subnet mask threw me off for a bit, I am used to /24 not /32 (the host))

Then went to firewall->Packet filter->external networks to internal networks and allowed the service to the correct object. no dice. Then i tried it by IP (the object is still there regardless) no dice.
Read the manual, and it said I had to do port redirects, which i tried, no dice. There doesnt even seem to be a section on services in the manual.

I just cant seem to get this right- what am I doing wrong?

As far as I understand, you're trying to give access from external networks (Internet) to a service (Webguide4) in other machine. As you pointed, the place to put the rule is "Filtering rules from external networks to internal networks". Webguide4 is listening to 1128:1129 TCP/UDP port range, so put this port range as Destination port in the service configuration. The matter of internal attribute is to prevent other services from using that port range. So the firewall rule must follow something similar to:

Decision	Source	Destination	Service
ACCEPT	Any	Your desired IP address	Webguide4

This rule accepts connections from external networks (those interfaces which have been marked as external ones) to your desired IP address (in the internal network, that is, reachable from an internal interface) to the ports 1128:1129 using TCP or UDP protocol.

However, if you meant, port redirection, ie mapping an eBox port to an internal machine port, you should use Port Redirection which is at the menu Firewall->Redirects.

Other stuff:
When I first set it up, my old linux laptop was the client. It surfed the web, etc fine. When I plugged my whole network in I had to go to packet filter->Filtering rules for internal networks and add an any/any rule. Why?

Other things I would really like to see/miss from Ipcop:
1. Dynamic DNS update support (I really miss this)
2. HASP virus filtering on http (was an addon to Ipcop)
3. Web cache
4. Full lamp

But overall eBox is far more clean, streamlined and professional than Ipcop (or astaro before it) I am really liking it, and (with some help) hope to get fully up and running soon!

Any suggestion may be included as a ticket in our trac system [1]. HASP has been already suggested to filter virus from HTTP service. Web cache is already done by ebox-squid module. Regarding to LAMP, we think they are lots of different solutions to apply in Web application scheme. Merely saying, 5 different technologies come up to my mind. So we have decided to include a Webserver module to ease the virtual host creation, inside you may use mod_php, mod_python, fcgi..., and userdir feature to ease the file sharing using HTTP and Samba.

Thanks very much for you feedback and hope this helps you!

[1] http://trac.ebox-platform.com

[eDRoaCH]

Thank you very much for the help. I am afraid I am still not able to figure it out, so I am attaching a few screen shots.

I am still not exactally sure what the Internal means for the service. Right now I have it not internal, as I am guessing it means 'internal to eBox' as opposed to 'an internal service for the network' But as I said I have tried it both ways.
192.168.7.51 is the correct IP and it is ReservedDHCP so it should never change.

I checked out the track, and see many exciting things there, but as I have never used track before I cant quite figure out the site. Dynamic DNS updating is by far the #1 thing I am hoping for, as doing a road warrior scenario otherwise is almost impossible. For now I can set up another host on my network to update it.

[sixstone]

The problem is the WebGuide4 service. You may set just the destination port value to 1128:1129 range and let the source port as any, since the Internet hosts are not initiating the connection with its bound port to 1128 or 1129, aren't they?

Internal service simply means that none of remainder services may have as destination port the one you set in that internal service. Not really matters for this topic anyway...

Regarding to trac, just click on http://trac.ebox-platform.com/newticket and insult us with new features :-P...

I think now it should work...

[eDRoaCH]

Makes sense, set the source port to any, but still no workie. I normally do http://edroach.(theresthatdyndnsissueagain).org:1128 so I do go directly to the port. My ISP blocks port 80 inbound anyway. This did previously work with IPCop and a linksys router.

I really want this up, but its mothers day and I will be gone all next week on a work trip, so I guess I am running out of time for now.

And consider yourself insulted http://trac.ebox-platform.com/ticket/1007 I figured it out right after the last post. I tried to be helpful at least! That one only seems to do DynDNS, but No-IP which I use too also has a linux service.

[sixstone]

Which IP address does DNS server resolve to "edroach.<domain>.org" domain? If does to the external eBox interface, then you require to do a redirection as I say above .

The app you suggested in ticket you opened is only working for DynDNS service? I found that list [1]. Is it impossible to be company-neutral?

[1] http://www.dmoz.org/Computers/Internet/Protocols/DNS/DNS_Providers/Dynamic_DNS/

[eDRoaCH]

I have manually set the dyn-dns ip to my external ip of ebox. (64.x.x.x)

As for the DynDNS, when I was making the ticket I decided to be more helpful than just complain, so I did a bit of googling and came up with a DynDNS info page on that app that claimed it did more than just DynDNS, but I cant find any better info on it and the apps homepage is dead (though it does have a sourceforge page) On my wifi router I run Tomato (similar to DDWRT, a replacement firmware) and it can update dyn-dns, no-ip and others. As those things run linux and are low power, I would have to assume there is a more cross-provider solution.

I am in phoenix for the week for work so if I get a chance I will try to do some more googling on the matter. I will probably start with the DDWRT guys to try to figure out what they use.

As an aside- I see the eBox homepage all but demands using stable debian, and I am using the install cd from the site. Seems many use full fleged ubu installs tho. Any big security risks with that? Also any pitfalls in me setting up that dyndns update app myself on my box?

I appreciate your help (id still like to have port forwarding someday!) and maybe I can give back a bit by tracking down a dynamic dns updater for you guys!

[eDRoaCH]

Well the cafe isnt open, so i guess i have to skip breakfast and wait for lunch. So I did some googling

seems ddwrt uses inadyn and has great info on it here, including how to use it with no-ip and several others http://www.dd-wrt.com/wiki/index.php/Multiple_DDNS_Accounts

I also found http://ez-ipupdate.com/ and http://ddclient.wiki.sourceforge.net/Protocols but it seems inadyn wins for most used. ddclient is also popular however.

[eDRoaCH]

update: http://www.dd-wrt.com/wiki/index.php/DDNS_-_How_to_setup_Custom_DDNS_settings_using_embedded_inadyn_-_HOWTO is a better link regarding what inadyn can do.

DynDNS providers are like search engines, theres a million out there but most people only use a standard few. Using a prog like this as a drop in and having the possibility of writing an ebox specific client (they all seem to have their own API for updates) is a quick way to add functionality to the majority.

The good news is I got BT forwarding! I set the incoming port to any in the service and then created an alias again. There was a power outage at my house (of course the day I leave) so my webguide4 computer is down leaving me unable to test.

[sixstone]

I agree with you in Dynamic DNS stuff...

Regarding to the port forwarding, finally have you been able to get the connection? I am confused ...

[eDRoaCH]

BT detects the port is forwarded properly now. I cant test web-guide because the host pc got turned off in a power outage.

However, I decided to try my ftp since that comp was on. connection port is 2100 and then passiv ports are 7024-7048. I can connect to it but cant get the list, seems I dont have the passv ports done right. If you have any tips wonderful, but I need to do some more testing when I am home later this week.

[eDRoaCH]

Well got home and now Both Bit torrent and Webguide are working properly. I also need my ftp. I can connect on the main connect port, but cant get the passiv working. is there a way to create redirects with a port range?

[sixstone]

Great to hear that at least!

I'm afraid is not possible to set redirections using current eBox UI.