Firewall fiasco: Difference between revisions

From eddynetweb's cesspit
Jump to navigation Jump to search
m (Eddynetweb moved page Oidentd port information to Firewall fiasco without leaving a redirect)
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
== Issue ==  
== oidentd and port 113 ==  


"oidentd" won't authenticate a proper mask without opening port '''113''' on whatever firewall application you're using to manage connections. This is especially present if you use ZNC and you desire to allow such identification authentication.  
"oidentd" won't authenticate a proper mask without opening port '''113''' on whatever firewall application you're using to manage connections. This is especially obvious if you use ZNC and you desire to allow such identification authentication.  


== Solution ==
----
 
=== Solution ===  


Open up port '''113''' through your firewall. Here's an example with IPTables:  
Open up port '''113''' through your firewall. Here's an example with IPTables:  
Line 13: Line 15:


Good luck!
Good luck!
== IPv6 TUN issue ==
Unblocking Protocol 41 generally works to bypass firewall restrictions for IPv6 tunnel traffic. Sometimes this is not the case with CSF, even if you specify in the ''TCP_IN'' section port "41". Instead, the IPv6 connection will generally hang after a short period of time when establishing a connection to the firewall.
----
=== Solution ===
Simply go to '''/etc/csf/csfpre.sh''' (or create it if it doesn't already exist), and add the following:
<source lang="bash"> # Protocol 41 for Hurricane Electric Tunnelbroker
iptables -t filter -I INPUT -p 41 -j ACCEPT
iptables -t filter -I OUTPUT -p 41 -j ACCEPT
</source>
CSF will run this script at the end of applying all other rules. It simply applies the policy which protocol 41 is whitelisted inbound/outbound in its entirety.
Even if you're not running CSF, the general rule applies in this instance.

Latest revision as of 13:14, 15 April 2017

oidentd and port 113

"oidentd" won't authenticate a proper mask without opening port 113 on whatever firewall application you're using to manage connections. This is especially obvious if you use ZNC and you desire to allow such identification authentication.


Solution

Open up port 113 through your firewall. Here's an example with IPTables:

iptables -t filter -I INPUT -p 113 -j ACCEPT
iptables -t filter -I OUTPUT -p 113 -j ACCEPT

Good luck!

IPv6 TUN issue

Unblocking Protocol 41 generally works to bypass firewall restrictions for IPv6 tunnel traffic. Sometimes this is not the case with CSF, even if you specify in the TCP_IN section port "41". Instead, the IPv6 connection will generally hang after a short period of time when establishing a connection to the firewall.


Solution

Simply go to /etc/csf/csfpre.sh (or create it if it doesn't already exist), and add the following:

 # Protocol 41 for Hurricane Electric Tunnelbroker
iptables -t filter -I INPUT -p 41 -j ACCEPT
iptables -t filter -I OUTPUT -p 41 -j ACCEPT

CSF will run this script at the end of applying all other rules. It simply applies the policy which protocol 41 is whitelisted inbound/outbound in its entirety.

Even if you're not running CSF, the general rule applies in this instance.