Firewall question

  • This topic is empty.
Viewing 3 posts - 16 through 18 (of 18 total)
  • Author
    Posts
  • #50843
    ppalias
    Member

    Since I am not able to understand the server that responds to this \public_ip request, please do the following.
    Run the same experiment again, but make sure that you know before the source IP of the PC outside the network. Simultaneously run on ZS a

    netstat -anp | grep SOURCE_IP_OF_PC 

    and

    conntrack -L | grep SOURCE_IP_OF_PC

    We’ll see then which server responds.

    #50844
    Luigi10
    Member

    Here is the output of the configs you were requesting:

    The 64.*.*.* IP address is the workstation typing in \public IP

    The 24.*.*.* IP address it the Cable IP address of the ZeroShell box and also the IP address that is typed into the \24.*.*.*

    Type exit or Ctrl+D to return to main menu.

    root@zeroshell root> netstat -anp | grep 64.*.*.*
    root@zeroshell root> conntrack -L | grep 64.*.*.*
    conntrack v0.9.12 (conntrack-tools): 64 flow entries has been shown.
    root@zeroshell root> conntrack -L | grep 64.*.*.*
    conntrack v0.9.12 (conntrack-tools): 99 flow entries has been shown.
    udp 17 14 src=64.*.*.* dst=24.*.*.* sport=137 dport=137 packets=3 bytes=234 [UNREPLIED] src=24.*.*.* dst=64.*.*.* sport=137 dport=137 packets=0 bytes=0 mark=0 use=1
    tcp 6 431996 ESTABLISHED src=64.*.*.* dst=24.*.*.* sport=49237 dport=80 packets=6 bytes=510 src=24.*.*.* dst=64.*.*.* sport=80 dport=49237 packets=4 bytes=1047 [ASSURED] mark=0 use=1
    tcp 6 6 CLOSE src=64.*.*.* dst=24.*.*.* sport=49245 dport=443 packets=7 bytes=555 src=24.*.*.* dst=64.*.*.* sport=443 dport=49245 packets=6 bytes=1093 [ASSURED] mark=0 use=1
    root@zeroshell root> netstat -anp | grep 64.*.*.*
    tcp 0 0 24.*.*.*:80 64.*.*.*:49237 ESTABLISHED 5709/httpd
    root@zeroshell root>

    #50845
    ppalias
    Member

    From what I see here, the client is trying to connect on udp/137, which correct, cause this is what \AN_IP_ADDRESS does. It is trying to browse the network shared files of a system. There is no nat applied on that and the packet is not replied, so it is just ignored. Then the port 80 is tried, so maybe the windows client is trying to access the web interface of ZS. And this is why you see the certificate and the user-pass promt. Disable HTTP/HTTPS from the wan link and try again. I think that it should fail.

    All the above are based on that you didn’t open a browser and entered ZS’ 64.c.x.z address.

Viewing 3 posts - 16 through 18 (of 18 total)
  • You must be logged in to reply to this topic.