# firewall

## eleanor

Where can I set up my firewall? I need to open a few ports, where can I do that?

And can I do that through console?

----------

## eleanor

Hmmmm, anybody?

----------

## lookinin

Hmm, maybe this will help get you started:

https://forums.gentoo.org/viewtopic.php?t=159133

There are a number of GUI utilities that help set it up as well, such as gshield and shorewall to name a couple, but you'll need a working setup first, so check out the howto above.

----------

## eleanor

This doesn't help me much. I've done this a lot of time before, so I know this all. I am only interesting in my firewall. In mandrake linux there was firewall placed in the control center, so you can easily choose one or other option! So were it is in gentoo?

----------

## fdamstra

 *eleanor wrote:*   

> This doesn't help me much. I've done this a lot of time before, so I know this all. I am only interesting in my firewall. In mandrake linux there was firewall placed in the control center, so you can easily choose one or other option! So were it is in gentoo?

 

There is no firewall by default in Gentoo.  You'd have to install one.

----------

## Duali

 *eleanor wrote:*   

> Where can I set up my firewall? I need to open a few ports, where can I do that?
> 
> And can I do that through console?

 

You can't open ports because you don't have firewall   :Shocked: 

----------

## eleanor

And why the hack am I having this problem when trying to connect with ssh: 

ssh: connect to host port 22: Connection refused

And I am getting this with ftp and all other applications (the one that include connecting to my computer). What can I do?

----------

## fatcat.00

Connection refused indicates that your machine sent a TCP RST (reset).  Usually this means the service isn't running.

Try: 

```
/etc/init.d/sshd start
```

Probably same for ftp.

----------

## eleanor

No no no, it is working under my computer. It just isn't working if I want to connect from anywhere else! Do you know what is wrong (and I have run /etc(init.d/sshd start >> that is a muss)!

----------

## Valhlalla

what is the output if you run this (as root if needed):

```
/sbin/iptables -L
```

----------

## eleanor

Here:

bash-2.05b# /sbin/iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

----------

## nightblade

If you get "connection refused" then the server answers with a RST, meaning that there is nobody listening there. If the service is running, then it might be listening only on some interfaces (eg: loopback) but not on the interface you are trying to talk with

----------

## eleanor

And what can I do that it will listen?

----------

## Valhlalla

Yeah the problem is not the firewall as ALL your ports are open at the firewall

As nightblade eluded to you should check the config files for sshd, and make sure it is running.

```
netstat -l
```

Will show you all the listening servies sshd should show up in a listening state on your network IP address.

----------

## eleanor

It is runing. Look at this:

bash-2.05b# netstat -l

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 *:32769                 *:*                          LISTEN

tcp        0      0 *:5800                  *:*                           LISTEN

tcp        0      0 localhost:netbios-ssn   *:*                    LISTEN

tcp        0      0 eleanorunic:netbios-ssn *:*                   LISTEN

tcp        0      0 *:5900                  *:*                            LISTEN

tcp        0      0 localhost:microsoft-ds  *:*                    LISTEN

tcp        0      0 eleanoruni:microsoft-ds *:*                   LISTEN

tcp        0      0 *:ssh                   *:*                             LISTEN

udp        0      0 eleanorunico:netbios-ns *:*

udp        0      0 *:netbios-ns            *:*

udp        0      0 eleanorunic:netbios-dgm *:*

udp        0      0 *:netbios-dgm           *:*

udp        0      0 *:631                   *:*

raw        0      0 *:icmp                  *:*                     7

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ACC ]     STREAM     LISTENING     4725  

It is just the first part of this! Now what can I do?

----------

## lookinin

 *eleanor wrote:*   

> 
> 
> It is just the first part of this! Now what can I do?

 

If sshd is running and the remote is getting "Connection refused..." it's probably an access problem, not a firewall problem[edit](Any gurus want to verify that for me?  On my system it simply drops the packets and gives no response)[/edit].  It appears as though the firewall is allowing access to the port.  Have you looked at your /etc/hosts.allow and /etc/hosts.deny files?

As mentioned at the bottom of this thread:

https://forums.gentoo.org/viewtopic.php?t=175159

try:

```
man 5 hosts_access
```

----------

## lazyleopard

Look in /var/log for messages. If the server's running but you can't connect then chances are it's an authorisation thing. Maybe auth.log will say something helpful. Also consider the possibility that the machine you're trying to ssh from is doing the blocking on outbound connections at its firewall (if it has one), or something like that. Check the ssh and sshd config files too.

----------

## eleanor

Look at this:

bash-2.05b# /etc/hosts.allow

bash: /etc/hosts.allow: No such file or directory

That is wrong, I just want to know why there ins't that file?

----------

## lookinin

It may not be there by default, I don't remember.  Just create one with your favorite editor so that it contains:

```
sshd : xxx.xxx.xxx.xxx : allow (for the ip that you need to allow in)

sshd : localhost : allow (if desired)

sshd : all : deny (to block all others)

```

Make sure it's owned by root:root and (I'm not sure if this is correct - maybe someone else can advise)mine is set to chmod 644:

```
chmod 644 /etc/hosts.allow

```

----------

## eleanor

I've done all this and this doen't help me much. I still get the same old error!

----------

## lookinin

 *eleanor wrote:*   

> I've done all this and this doen't help me much. I still get the same old error!

 

I am running out of ideas - have you looked into lazyleopard's suggestion about your outbound connections on that port being blocked?

----------

## Valhlalla

Definatly check all you logs, I would say its how sshd has been configured, but the logs should show where it is being rejected, also do you have a router or any other network device or NAT between the 2 computers?

----------

## eleanor

I have a router, but my computer connects directly through tje internet!

----------

## Valhlalla

 *eleanor wrote:*   

> I have a router, but my computer connects directly through tje internet!

 

Through the internet? or do you mean intranet?

If you unpluged the router would they still be connected?

----------

## SinoTech

1. /etc/hosts.allow isn't need for SSH (It's used for RPC applications and as far as I know SSH isn't one).

2. If you're unable to connect to your SSH server at home you should ...

- Try to connect to your server using a client contained in your local lan

- Make sure your router forwards incoming connections on port 22 (default for SSH) to your server.

Mfg

Sino

----------

## eleanor

Why must  forward that port (22).  What does it mean if I forward it. I haven't done this before (on the previous linux) and my ssh server worked just fine!

----------

## ewtrowbr

How many interfaces do you have? Can you ping your server?

please post...

netstat -rn

ifconfig -a

erich

----------

## r3pek

remotepc ------ internet ----- home router ----- homepc

from what a read on this thread, what your r trying to do is connect from remotepc to homepc.

you have to forward the port 22 in your home router to homepc so all the packages that come from the internet to port are sent to the homepc since the router is not running any sshd. that's why you are given the error "connection refused", 'cause you r trying to access the router, not the homepc.

that's what forwarding is.

----------

