[ previous ] [ next ] [ threads ]
 
 From:  "Jonathan De Graeve" <Jonathan dot De dot Graeve at imelda dot be>
 To:  <ryanp at hhsys dot org>
 Cc:  "m0n0wall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] rule allowed but being blocked part 2: full post
 Date:  Tue, 13 Dec 2005 18:37:18 +0100
Tivoli use a fixed TCP port you can allow without any problems. You can
find the tcp port used in your config (dsm.sy or dsm.opt IIRC)

J.

> -----Oorspronkelijk bericht-----
> Van: ryanp at hhsys dot org [mailto:ryanp at hhsys dot org]
> Verzonden: dinsdag 13 december 2005 17:49
> Aan: m0n0wall at lists dot m0n0 dot ch
> Onderwerp: Re: [m0n0wall] rule allowed but being blocked part 2: full
post
> 
> The application is IBM Tivoli backup client.  The TSM server 'pings'
the
> node then the node talks back and starts performing its backup.  At
first
> I had the rule set to 'LAN net' instead of 'Network' with physically
> typing in the address. One machine [machine A] wasnt working properly.
So
> then I
> changed it to 'Network' and typed in the addresses and the previous
one
> [machine A] started working but now this one [machine B] doesnt want
to.
> Thats what it is confusing to me.  I see one connection in the
firewall
> state table but then I see a few packets getting blocked, so I'm not
sure.
> 
> Even if it is a broken application, what would you suggest to get this
> working? Allow all traffic bidirectional? Because even if the
application
> does crappy TCP, the machines still have to perform their backups and
> m0n0wall isnt allowing that via the sysadmin's eyes who run the boxes.
> 
> 
> Chris Buechler said:
> > On 12/12/05, ryanp at hhsys dot org <ryanp at hhsys dot org> wrote:
> >>
> >>
> >> These are allowed via
> >>
> >> TCP 10.246.9.0/24:* to 10.249.0.1:1500
> >>
> >> but its still being blocked, I even said allow fragmented packets.
> still
> >> being blocked. block private network is unchecked, whats going on?
> >>
> >
> > It's getting to rule 11:
> > @11 block in log quick proto tcp from any to any
> >
> > so it's not in the state table, and it's not the initiation of a new
> > TCP connection (that would then enter the state table for subsequent
> > traffic).  Does the particular application work?  Seems like it
would
> > either be this:
> > http://doc.m0n0.ch/handbook/faq-legit-traffic-dropped.html
> > or a really broken application.
> >
> > -Chris
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> 
> 
> 
> 
> -------------------------------------------------------------
> 
> Note: This email is for the sole use of the intended
> recipient(s) and may contain confidential information.  Any
> unauthorized review, use, disclosure or distribution is
> prohibited.  Contact the sender if received in error.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>