NET::HTTP behind a firewall?

--
Posted via http://www.ruby-forum.com/.

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What ports should I open/changes should I make to my firewall config
script (KISS) to enable ruby to make the appropriate outgoing requests?

Thanks,
Kris

--
Posted via http://www.ruby-forum.com/\.

--
Chris Carter
concentrationstudios.com
brynmawrcs.com

--
Paul Lutus
http://www.arachnoid.com

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What ports should I open/changes should I make to my firewall config
script (KISS) to enable ruby to make the appropriate outgoing requests?

Thanks,
Kris

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

I recently deployed an app to my production server that accesses other
websites via NET::HTTP. Due to my firewall (iptables), the app is unable
to access the other sites.

What ports should I open/changes should I make to my firewall config
script (KISS) to enable ruby to make the appropriate outgoing requests?

--
Jeremy Tregunna
jtregunna@blurgle.ca

On 10/3/06, Jeremy Tregunna <jtregunna@blurgle.ca> wrote:

Outgoing connections are almost always made on high ports. It doesn't
matter what you're using to connect out, the fact that you're making
a client request to some remote server on some port, will cause your
client ip:port to be <ip you're going out over>:<some high port,
probably over 10000>.

So be sure you open up say 10000 - 65535 outgoing tcp

--
Posted via http://www.ruby-forum.com/\.

On 06-10-03, at 18:32, Joe Regular wrote:

Jeremy, thanks for the help. I knew the outgoing connections were made
on higher ports but I was not sure which range of ports they would be
made on and I wanted to keep my config as tight as possible. I also
wanted to know if there was a way to allow a specific process (such as
the one running ruby) to access all outgoing ports.

--
Jeremy Tregunna
jtregunna@blurgle.ca

#
# Yahoo | Mail, Weather, Search, Politics, News, Finance, Sports & Videos
#
#

##############################################################################
#
# Optional KISS Configurtion Variables:
#
BLOCK_LIST=""
TCP_IN="20 21 25 53 80 110 143 443 995 3306 8443 10000 19638"
TCP_OUT="21 22 25 37 43 53 80 443 55000"
UDP_IN="53"
UDP_OUT="53"
TCP_IN_TRUSTED="22"
TRUSTED_IPS="0.0.0.0/0"
SERVER_IPS="0.0.0.0/0"

##############################################################################
#
PUB_IFACE="eth1"
PRIV_IFACE="eth0"

#####
# Please note that only the PRIVATE_IP needs to be found as PUB_IFACE
# IP is detected in the MAIN_IP variable below.
#####
if [ ! "$PRIV_IFACE" == "" ]; then
  PRIVATE_IP=`ifconfig $PRIV_IFACE | grep "inet addr" | cut -d: -f2 | awk
'{print $1}'`
fi

##############################################################################
#
# ALL DONE WITH CONFIGURATIONS!
#
# No real need to modify anything for the remainder of this file except
to
# maybe remove the comments from certains lines at the end of this file.
#

# Some variables here. Modify if needed for your system.
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

##############################################################################
# Determine if iptables and modprobe exist
#
if [ ! -e "$IPTABLES" ]; then
    echo "$IPTABLES does not exist. Firewall script aborted!"
    exit 1
fi
if [ ! -e "$MODPROBE" ]; then
    echo "$MODPROBE does not exist. Firewall script aborted!"
    exit 1
fi

##############################################################################
# Determine MAIN_IP & SERVER_IPS if needed
#
MAIN_IP=`ifconfig $PUB_IFACE | grep "inet addr" | cut -d: -f2 | awk
'{print $1}'`
if [ "$MAIN_IP" == "" ]; then
    echo "Could not determine MAIN_IP. Firewall script aborted!"
    exit 1
fi
if [ "$SERVER_IPS" == "" ]; then
    SERVER_IPS=$MAIN_IP
fi
if [ "$SERVER_IPS" == "" ]; then
    echo "Could not determine SERVER_IPS. Firewall script aborted!"
    exit 1
fi

##############################################################################

# Arguments:
if [ "$1" == "stop" ] || [ "$1" == "-stop" ] || [ "$1" == "--stop" ];
then
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F
    $IPTABLES -L -n
    echo ""
    echo ""
    echo -e "\033[31mKISS My Firewall - Stopped!"
    echo -e -n "\033[0m "
    echo ""
    exit 0
fi
if [ "$1" == "status" ] || [ "$1" == "-status" ] || [ "$1" == "--status"
]; then
    NUM_LINES=`$IPTABLES -L -n | wc -l | awk '{print $1}'`
    $IPTABLES -L -n
    echo ""
    echo ""
    if [ "$NUM_LINES" -le "15" ]; then
        echo -e "\033[31mKISS My Firewall - Stopped!"
    else
        echo -e "\033[32mKISS My Firewall - Running!"
    fi
    echo -e -n "\033[0m "
    echo ""
    exit 0
fi

##############################################################################

# We don't want ipchains loaded:
IPCHAINS=`/sbin/lsmod | grep ipchains`
if [ ! "$IPCHAINS" == "" ]; then
    /sbin/rmmod ipchains
fi

##############################################################################

# Note: KISS requires that ip_tables, ipt_state, and ipt_multiport
exist:
if [ ! -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko" ] || [ ! -e
"/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_state.ko" ] || [
! -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    echo "Since the ip_tables, ipt_state, and/or ipt_multiport modules
do not exist, KISS can not function. Firewall script aborted!"
    exit 1
fi

# All is well, load modules:
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_tables.ko" ]; then
    $MODPROBE ip_tables
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_state.ko" ]; then
    $MODPROBE ipt_state
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_multiport.ko" ]; then
    $MODPROBE ipt_multiport
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/iptable_filter.ko" ]; then
    $MODPROBE iptable_filter
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_unclean.ko" ]; then
    $MODPROBE ipt_unclean
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_limit.ko" ]; then
    $MODPROBE ipt_limit
fi
if [ -e "/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_LOG.ko"
]; then
    $MODPROBE ipt_LOG
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ipt_REJECT.ko" ]; then
    $MODPROBE ipt_REJECT
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack.ko" ]; then
    $MODPROBE ip_conntrack
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko" ]; then
    $MODPROBE ip_conntrack_irc
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko" ]; then
    $MODPROBE ip_conntrack_ftp
fi
if [ -e "/lib/modules/$(uname
-r)/kernel/net/ipv4/netfilter/iptable_mangle.ko" ]; then
    $MODPROBE iptable_mangle
fi

##############################################################################

# Remove any existing rules from all chains
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush

# Allow unlimited traffic on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Set the default policy to DROP
$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
$IPTABLES --policy FORWARD DROP

# DO NOT MODIFY THESE!
#
# If you set these to DROP, you will be locked out of your server.
#
$IPTABLES -t nat --policy PREROUTING ACCEPT
$IPTABLES -t nat --policy OUTPUT ACCEPT
$IPTABLES -t nat --policy POSTROUTING ACCEPT
$IPTABLES -t mangle --policy PREROUTING ACCEPT
$IPTABLES -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
$IPTABLES -t mangle --delete-chain

##############################################################################

# Enable broadcast echo Protection
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi

# Disable Source Routed Packets
if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
fi

# Enable TCP SYN Cookie Protection
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi

# Disable ICMP Redirect Acceptance
if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

# Don't send Redirect Messages
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
  echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
fi

# Drop Spoofed Packets coming in on an interface, which if replied to,
would
# result in the reply going out a different interface.
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
fi

# Log packets with impossible addresses
if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
fi

# Reduce DoS'ing ability by reducing timeouts
if [ -e /proc/sys/net/ipv4/tcp_fin_timeout ]; then
  echo "1800" > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ -e /proc/sys/net/ipv4/tcp_keepalive_time ]; then
  echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
fi
if [ -e /proc/sys/net/ipv4/tcp_window_scaling ]; then
  echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
fi
if [ -e /proc/sys/net/ipv4/tcp_sack ]; then
  echo "0" > /proc/sys/net/ipv4/tcp_sack
fi

##############################################################################
# Silently Drop Stealth Scans

# All of the bits are cleared
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK
$IPTABLES -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP

##############################################################################
# Provide some syn-flood protection
#
# THIS CODE SLOWS DOWN WEB PAGE LOADS DRAMATICALLY!!!
#
# Only enable this code if you find that you are the victim of a
syn-flood
# attack!
#
#$IPTABLES -N syn-flood
#$IPTABLES -A INPUT -p tcp --syn -j syn-flood
#$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
#$IPTABLES -A syn-flood -j DROP
#

##############################################################################
# BLOCK_LIST
#
# To add someone to this block list, use the BLOCK_LIST configuration
variable
# above.
#
# We block here, before our stateful packet inspection below, because if
the
# offender is already logged in, he won't be kicked out. Note also that
we
# include the offender's IP in the OUTPUT chain. This should help to
reduce
# the threat a little bit more.
#
for blocked_ip in $BLOCK_LIST; do
    # Lock him out:
    $IPTABLES -A INPUT -s $blocked_ip -j DROP
    # Make sure that he never hears from us again:
    $IPTABLES -A OUTPUT -d $blocked_ip -j DROP
done

##############################################################################
#
# To define your private network, use the PRIV_IFACE configuration
# variable above.
#
# We allow all traffic in and out of the private network
if [ ! "$PRIV_IFACE" == ""]; then
  $IPTABLES -A INPUT -s 0/0 -e $PRIV_IFACE -d $PRIVATE_IP -p ALL -j
ACCEPT
fi

##############################################################################
# Use Connection State to Bypass Rule Checking
#
# By accepting established and related connections, we don't need to
# explicitly set various input and output rules. For example, by
accepting an
# established and related output connection, we don't need to specify
that
# the firewall needs to open a hole back out to client when the client
# requests SSH access.
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

##############################################################################
# Source Address Spoofing and Other Bad Addresses

# Refuse Spoofed packets pretending to be from the external interface's
IP
#for server_ips in $SERVER_IPS; do
# $IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -j DROP
#done
#for server_ips in $SERVER_IPS; do
# for subnet_broadcast in $SUBNET_BROADCAST; do
# $IPTABLES -A INPUT -i $PUB_IFACE -s $server_ips -d
!$subnet_broadcast -j DROP
# done
#done

# Refuse packets claiming to be from a Class A private network
$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_A -j DROP

# Refuse packets claiming to be from a Class B private network
$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_B -j DROP

# Refuse packets claiming to be from a Class C private network
#$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_C -j DROP

# Refuse packets claiming to be from the loopback interface
$IPTABLES -A INPUT -i $PUB_IFACE -s $LOOPBACK -j DROP

# Refuse malformed broadcast packets
$IPTABLES -A INPUT -i $PUB_IFACE -s $BROADCAST_DEST -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_SRC -j DROP

# Refuse directed broadcasts
# Used to map networks and in Denial of Service attacks
#for subnet_base in $SUBNET_BASE; do
# $IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_base -j DROP
#done
#for subnet_broadcast in $SUBNET_BROADCAST; do
# $IPTABLES -A INPUT -i $PUB_IFACE -d $subnet_broadcast -j DROP
#done

# Refuse limited broadcasts
$IPTABLES -A INPUT -i $PUB_IFACE -d $BROADCAST_DEST -j DROP

# Refuse Class D multicast addresses - illegal as a source address
#$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
#$IPTABLES -A INPUT -i $PUB_IFACE -p ! udp -d $CLASS_D_MULTICAST -j DROP
#$IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT
#
$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_D_MULTICAST -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -p udp -d $CLASS_D_MULTICAST -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p 2 -d $CLASS_D_MULTICAST -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p all -d $CLASS_D_MULTICAST -j DROP

# Refuse Class E reserved IP addresses
$IPTABLES -A INPUT -i $PUB_IFACE -s $CLASS_E_RESERVED_NET -j DROP

# Refuse addresses defined as reserved by the IANA
# 0.*.*.* - Can't be blocked unilaterally with DHCP
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
$IPTABLES -A INPUT -i $PUB_IFACE -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -i $PUB_IFACE -s 192.0.2.0/24 -j DROP

##############################################################################
# Now we can open up some holes in our firewall...
#

##############################################################################
# If we are not accepting 113 (ident), then we explicitly reject it!
#
if [ "$(echo $IN_PORTS | tr ',' '\n' | grep -w 113)" == "" ]; then
    $IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 113 -j REJECT
    $IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 113 -j REJECT
fi

##############################################################################
# TCP IN
#
for tcp_in in $TCP_IN; do
    for server_ips in $SERVER_IPS; do
        $IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p tcp -m
state --state NEW --sport $UNPRIVPORTS --dport $tcp_in -j ACCEPT
    done
done

##############################################################################
# TCP OUT
#
for tcp_out in $TCP_OUT; do
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
--sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

##############################################################################
# UDP IN
#
for udp_in in $UDP_IN; do
    for server_ips in $SERVER_IPS; do
        $IPTABLES -A INPUT -i $PUB_IFACE -s 0/0 -d $server_ips -p udp -m
state --state NEW --sport $UNPRIVPORTS --dport $udp_in -j ACCEPT
    done
done

##############################################################################
# UDP OUT
#
for udp_out in $UDP_OUT; do
    $IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -m state --state NEW
--sport $UNPRIVPORTS --dport $udp_out -j ACCEPT
done

##############################################################################
# TCP IN TRUSTED
#
#for tcp_in_trusted in $TCP_IN_TRUSTED; do
# for server_ips in $SERVER_IPS; do
# for trusted_ips in $TRUSTED_IPS; do
# $IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d
$server_ips -p tcp -m state --state NEW --sport $UNPRIVPORTS --dport
$tcp_in_trusted -j ACCEPT
# done
# done
#done
for tcp_in_trusted in $TCP_IN_TRUSTED; do
    for trusted_ips in $TRUSTED_IPS; do
        $IPTABLES -A INPUT -i $PUB_IFACE -s $trusted_ips -d $MAIN_IP -p
tcp -m state --state NEW --sport $UNPRIVPORTS --dport $tcp_in_trusted -j
ACCEPT
    done
done

##############################################################################
# Allow pinging of this server's MAIN_IP by trusted IPs only.
#
for trusted_ips in $TRUSTED_IPS; do
    $IPTABLES -A INPUT -s $trusted_ips -d $MAIN_IP -i $PUB_IFACE -m
state --state NEW -p icmp --icmp-type ping -j ACCEPT
done

##############################################################################
# OUTPUT - PORT 113 - IDENTD
#
#for server_ips in $SERVER_IPS; do
# $IPTABLES -A OUTPUT -o $PUB_IFACE -s $server_ips -p tcp --syn --sport
$UNPRIVPORTS --dport 113 -m state --state NEW -j REJECT --reject-with
tcp-reset
#done

##############################################################################
# Uncomment to allow DNS zone transfers
#
$IPTABLES -A INPUT -i $PUB_IFACE -p udp --sport 53 --dport 53 -m state
--state NEW -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp --sport 53 --dport 53 -m state
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp --sport 53 --dport 53 -m state
--state NEW -j ACCEPT

##############################################################################
# Uncomment to allow for outgoing ping
#
#$IPTABLES -A OUTPUT -o $PUB_IFACE -s $MAIN_IP -m state --state NEW -p
icmp --icmp-type ping -j ACCEPT

##############################################################################
# Uncomment to allow outgoing traceroutes
#
#$IPTABLES -A OUTPUT -o $PUB_IFACE -p udp -s $MAIN_IP --sport
32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT

$IPTABLES -L -n
echo ""
echo ""
echo -e "\033[32mKISS My Firewall - Running!"
echo -e -n "\033[0m "
echo ""

exit 0

--
Posted via http://www.ruby-forum.com/\.

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

Joe Regular wrote:

#
for tcp_out in $TCP_OUT; do
   $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
--sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are reachable
through eth1? Can you ping anything from this server? Can you telnet to the
affected external web servers on port 80? Can you traceroute to them (either
using ICMP or UDP)? Did your code work correctly on a test server that
didn't have this firewall config? What's the output from iptables -L? As far
as the local (ephemeral) port is concerned, this rule will let anything out
that is locally bound to any port higher than 1024, which should be ok.

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

Joe Regular wrote:

# TCP OUT
#
for tcp_out in $TCP_OUT; do
   $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
--sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are
reachable
through eth1? Can you ping anything from this server? Can you telnet to
the
affected external web servers on port 80? Can you traceroute to them
(either
using ICMP or UDP)? Did your code work correctly on a test server that
didn't have this firewall config? What's the output from iptables -L? As
far
as the local (ephemeral) port is concerned, this rule will let anything
out
that is locally bound to any port higher than 1024, which should be ok.

--
Posted via http://www.ruby-forum.com/\.

Yes, eth1 is the public nic. I can not ping anything with the firewall
enabled. I can access all the tcp_in ports from external machines.
tracert is not working on my workstation right now, it times out to any
host on the second hop.

My code works properly on my workstations, development servers, and even
the production server without the firewall config enabled.

Is it possible that NET:HTTP is attempting to use a local port that is
lower than NPRIVPORTS allows?

Thanks for your help Francis.

Thanks,
Kris

Francis Cianfrocca wrote:

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

Joe Regular wrote:

# TCP OUT
#
for tcp_out in $TCP_OUT; do
   $IPTABLES -A OUTPUT -o $PUB_IFACE -p tcp -m state --state NEW
--sport $UNPRIVPORTS --dport $tcp_out -j ACCEPT
done

Is your routing is configured such that your external servers are
reachable
through eth1? Can you ping anything from this server? Can you telnet to
the
affected external web servers on port 80? Can you traceroute to them
(either
using ICMP or UDP)? Did your code work correctly on a test server that
didn't have this firewall config? What's the output from iptables -L? As
far
as the local (ephemeral) port is concerned, this rule will let anything
out
that is locally bound to any port higher than 1024, which should be ok.

--
Posted via http://www.ruby-forum.com/\.

On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:

I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
their support is quite good.

On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
Hi Folks,

I have an idea for a website. I want to develop it using Ruby on Rails,
so ultimately I'll need a website hosting company.

I'm going to be putting together a different take on the various
websites that host music for musical instrument players for learning new
tunes - this isn't a software idea and is nothing linked to my day job
with Object Media/Software Verification. As a result hosting costs may
be an issue if the host is expensive until the idea pays for itself.

I've done a bit of web-searching on this subject, but really I'd like
recommendations from those of you already doing this. You know which
companies you've used and which you use again, which were expensive and
good value, which were expensive and bad value, which were cheap and
good value, etc.

Please recommend some hosting companies.

Thanks

Stephen
(reply to newgroup or by email, both are fine)
--
Stephen Kellett
Object Media Limited http://www.objmedia.demon.co.uk/software.html
Computer Consultancy, Software Development
Windows C++, Java, Assembler, Performance Analysis, Troubleshooting

-----Original Message-----
From: ruby grl [mailto:rubygrl@rubyserv.com]
Sent: Tue 10/3/2006 11:30 PM
To: ruby-talk ML
Subject: Re: Recommend a hosting company?

I was hosting with site5 but their support was terrible I finally had to
cancel service, they never responded to support questions. I finally spent
some money a dedicated host running rails on suse linux with redplaid
hosting and it has been so much more reliable.

On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:

I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
their support is quite good.

On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
Hi Folks,

I have an idea for a website. I want to develop it using Ruby on Rails,
so ultimately I'll need a website hosting company.

I'm going to be putting together a different take on the various
websites that host music for musical instrument players for learning new
tunes - this isn't a software idea and is nothing linked to my day job
with Object Media/Software Verification. As a result hosting costs may
be an issue if the host is expensive until the idea pays for itself.

I've done a bit of web-searching on this subject, but really I'd like
recommendations from those of you already doing this. You know which
companies you've used and which you use again, which were expensive and
good value, which were expensive and bad value, which were cheap and
good value, etc.

Please recommend some hosting companies.

Thanks

Stephen
(reply to newgroup or by email, both are fine)
--
Stephen Kellett
Object Media Limited http://www.objmedia.demon.co.uk/software.html
Computer Consultancy, Software Development
Windows C++, Java, Assembler, Performance Analysis, Troubleshooting

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

and here is the output of iptables -L...

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

On 10/3/06, ruby grl <rubygrl@rubyserv.com> wrote:

I was hosting with site5 but their support was terrible I finally had to
cancel service, they never responded to support questions. I finally spent
some money a dedicated host running rails on suse linux with redplaid
hosting and it has been so much more reliable.

On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
>I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
>their support is quite good.
>
>On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
>Hi Folks,
>
>I have an idea for a website. I want to develop it using Ruby on Rails,
>so ultimately I'll need a website hosting company.
>
>I'm going to be putting together a different take on the various
>websites that host music for musical instrument players for learning new
>tunes - this isn't a software idea and is nothing linked to my day job
>with Object Media/Software Verification. As a result hosting costs may
>be an issue if the host is expensive until the idea pays for itself.
>
>I've done a bit of web-searching on this subject, but really I'd like
>recommendations from those of you already doing this. You know which
>companies you've used and which you use again, which were expensive and
>good value, which were expensive and bad value, which were cheap and
>good value, etc.
>
>Please recommend some hosting companies.
>
>Thanks
>
>Stephen
>(reply to newgroup or by email, both are fine)
>--
>Stephen Kellett
>Object Media Limited http://www.objmedia.demon.co.uk/software.html
>Computer Consultancy, Software Development
>Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
>

--
Amos King
USPS
Programmer/Analyst
St. Louis, MO

From: "David Sledge" <dsledge@appriss.com>
Reply-To: ruby-talk@ruby-lang.org
To: ruby-talk@ruby-lang.org (ruby-talk ML)
Subject: Re: Recommend a hosting company?
Date: Wed, 4 Oct 2006 12:34:32 +0900

Try www.dewahost.com

-----Original Message-----
From: ruby grl [mailto:rubygrl@rubyserv.com]
Sent: Tue 10/3/2006 11:30 PM
To: ruby-talk ML
Subject: Re: Recommend a hosting company?

I was hosting with site5 but their support was terrible I finally had to
cancel service, they never responded to support questions. I finally spent
some money a dedicated host running rails on suse linux with redplaid
hosting and it has been so much more reliable.

On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
>I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
>their support is quite good.
>
>On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
>Hi Folks,
>
>I have an idea for a website. I want to develop it using Ruby on Rails,
>so ultimately I'll need a website hosting company.
>
>I'm going to be putting together a different take on the various
>websites that host music for musical instrument players for learning new
>tunes - this isn't a software idea and is nothing linked to my day job
>with Object Media/Software Verification. As a result hosting costs may
>be an issue if the host is expensive until the idea pays for itself.
>
>I've done a bit of web-searching on this subject, but really I'd like
>recommendations from those of you already doing this. You know which
>companies you've used and which you use again, which were expensive and
>good value, which were expensive and bad value, which were cheap and
>good value, etc.
>
>Please recommend some hosting companies.
>
>Thanks
>
>Stephen
>(reply to newgroup or by email, both are fine)
>--
>Stephen Kellett
>Object Media Limited http://www.objmedia.demon.co.uk/software.html
>Computer Consultancy, Software Development
>Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
>

On 10/3/06, Joe Regular <kristapestry@yahoo.com> wrote:

Sorry, I meant you won't be able to complete TCP connections that you
initiate.

--
Posted via http://www.ruby-forum.com/\.

This site has a one free year deal that I used. It works great and
after your ap is running if you need more space or bandwidth you can
always upgrade. Every time I've sent their support an e-mail I get a
response that day. They truly are a good hosting company.

http://www.hostingrails.com/home/112330218

On 10/3/06, ruby grl <rubygrl@rubyserv.com> wrote:

I was hosting with site5 but their support was terrible I finally had to
cancel service, they never responded to support questions. I finally spent
some money a dedicated host running rails on suse linux with redplaid
hosting and it has been so much more reliable.

On 3/12/06, "Michael Gorsuch" <michael.gorsuch gmail.com> wrote:
>I use site5 (http://www.site5.com). They're enthusiatic Ruby users so
>their support is quite good.
>
>On 3/11/06, Stephen Kellett <snail / objmedia.demon.co.uk> wrote:
>Hi Folks,
>
>I have an idea for a website. I want to develop it using Ruby on Rails,
>so ultimately I'll need a website hosting company.
>
>I'm going to be putting together a different take on the various
>websites that host music for musical instrument players for learning new
>tunes - this isn't a software idea and is nothing linked to my day job
>with Object Media/Software Verification. As a result hosting costs may
>be an issue if the host is expensive until the idea pays for itself.
>
>I've done a bit of web-searching on this subject, but really I'd like
>recommendations from those of you already doing this. You know which
>companies you've used and which you use again, which were expensive and
>good value, which were expensive and bad value, which were cheap and
>good value, etc.
>
>Please recommend some hosting companies.
>
>Thanks
>
>Stephen
>(reply to newgroup or by email, both are fine)
>--
>Stephen Kellett
>Object Media Limited http://www.objmedia.demon.co.uk/software.html
>Computer Consultancy, Software Development
>Windows C++, Java, Assembler, Performance Analysis, Troubleshooting
>