Hi, I tried email info@bushcraftuk.co.uk to get some help with this but no answer so I did a little digging myself:


I was finding I couldn't reach the forums and now know why. If I run my firewall with a default 'deny' on all inbound connections the bushcraftuk.com forums always time out. Looking through my firewall log I'm getting inbound connections on high port number from reverse.layeredtech.com, which I presume is the host for the forums? If I turn my firewall off, I can get the forums no problem. Any advice you can give? What are these inbound connections from layeredtech.com? (Ports 33049 and above feature prominantly in the firewall log on my computer.) I can connect no probs from work (but hey -- I'm not paid to read bushcraftuk at work ;-)

Cheers,

Stu

I'll look into this, it's going to be a couple of days though ;) Well spotted, there's a couple of members that can't get on, it may be why

many thanks :D

Cheers Tony, thanks for looking into it.

S

This may be an issue with firewalling of pre-established connections and reverse DNS lookups for bushcraftuk.net

Most firewalls are configured to allow connections that are incoming responses to already established outgoing connections to be let through - however, there are complex rules which are used to determine what an established connection is, and where it is connected to.

Bushcraftuk.net doesn't seem to have reverse DNS configured - that is if you do a DNS lookup on www.bushcraftuk.net, you get:

www.bushcraftuk.com A 72.36.134.230

However, if you do a lookup on 72.36.134.230 you get:

Name: 230.134.36.72.reverse.layeredt ech.com

As far as your firewall is concerned, it has an outgoing connection to bushcraftuk.com, but the 'returning' responses are coming from a different server, thus they get blocked. Ports up in the >1024 range are indicative of response connections.

The same issue happens with bushcraftuk.net, except in this case its hrwebservices.net that is doing the reverse lookup.

The short-term solution is to allow connections from these hosts through your firewall, the long-term solution is for Tony to ask his hosting providers to do reverse DNS handling for his domains, which layeredtech will definitely do, and I'm fairly sure hostrocket should as well...

Can I ask out of interest which firewall you are using? Different setups do different calculations to determine what an established connection is, and I know mine trusts the returning connections due to packet state and IP resolution...

Hello Match, what you say all makes sense now.

In answer to your question: Iptables and Firestarter on a debian based distro.

Stu

Hmm - its usually set by default, but check you have rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

(add a rule to input rules that checks a packets state - if its state shows its from an already running connection, accept it).

Other than that, wait for reverse DNS lookups to be working :)

I thought I knew a bit about 'puters, but what the bloody hell was all that about?!! I thought this was going to be about balancing some logs behind a fire to bounce the heat back at you - wrongo!!

Just check your flux capacitor, aim it at the wall and hit 88mph!

Match - nope that line does not occur - I've got a line to drop packets with invalid states, can I add the one you suggest straight after that without a problem? (sorry, firewalls are not my forte! :confused: ).

redcollective

Yep - should be fine to add, all it says is to trust packets that are ESTABLISHED (i.e part of a known ongoing communication) or RELATED (i.e that are expected back in response to some previous communication).

The -A INPUT part just means to add them to the INPUT rule in your firewall - iptables firewalls have three 'main' tables - INPUT, OUTPUT and FORWARD.

You might find that your own particular configuration labels them differently, but it should be possible to spot which table to add them to easily enough.

Let us know if this fixes your problem.

This should be sorted now, it'll just take a day or so to propagate but the reverse lookup is fixed.

If you know anyone that was affected by this feel free to let them know that they should no longer be blocked :D

This should be sorted now, it'll just take a day or so to propagate but the reverse lookup is fixed.

If you know anyone that was affected by this feel free to let them know that they should no longer be blocked :D
Nice work Tony :)

Just check your flux capacitor, aim it at the wall and hit 88mph!

:D

Sorry best laugh I have had all day. It's been a slow day.

James