printerserver and firewall 90

No you don't have to have port 80 open and it is not true on no software FW, NAT router or FW appliance that I have used. A host based FW, the firmware in a NAT router and a FW appliances will allow inbound traffic on a port (open the port) if software on the machine behind them sends outbound traffic to an IP. That's called a solicitation for traffic. If inbound traffic is not solicited (no program running behind the host based FW, NAT router or FW appliance) makes a solicitation for inbound traffic (unsolicited) inbound traffic, then they will reject the traffic. All ports are closed by default on them. Unsolicited inbound traffic will come in on a port if rules have been set on the host based FW, NAT router or FW appliance to allow the unsolicited inbound traffic, otherwise, the ports are closed by default and inbound traffic is rejected. Or a port will be open to inbound traffic on a FW or NAT router if a solicitation for inbound traffic is made to an IP due to outbound traffic being sent to the IP.

Unsolicited traffic coming inbound on a port would be like PORT 80 HTTP because you have a WEB server like IIS (Web services running) on the machine listening on port 80. In this case on a NAT router or FW appliance, one would port forward port 80 (open the port) and forward the traffic to the machine-IP that had IIS running or set rules on the FW appliance to forward the traffic to the IP-machine. If it was a host based FW, the rules would have to be set to allow unsolicited inbound traffic in on port 80, otherwise, no one would be able to contact IIS running on the machine at a specified private or LAN side IP. In the mean time, it business as usual for any other machine that's expecting traffic on port 80 behind the NAT router or FW appliance that's making a solicitation for traffic using a browser.

In the case of browser such as IE, Firefox and other such program that contact the Internet and they make a solicitation for inbound traffic, because they sent outbound traffic (they initiated the contact or solicited the inbound) to an ISP, WEB site, etc and they are doing it from behind the host based FW, NAT router or FW appliance, then each one of them will open the appropriate inbound port and allow the inbound and reject any IP on the inbound that has not had a solicitation made to it on the outbound. That's the normal function of host based FW, NAT router or FW appliance when all ports are closed by default.

I am not familiar with Shorewall so I don't know anything about. However, I have used IPSec which is on the Win 2k, XP, and Win 2K O-S(s) and yes when it is active on the machine and works much like a FW, I must set rules to open HTTP, SMTP, POP3, etc even behind the Watchguard FW appliance, Linksys router or BlackIce I was using, otherwise, traffic on the ports inbound would not reach the machine and the program listening for the inbound.

Yes, if you're running host based FW(s) on the machines then you'll have to open the ports on the FW(s) to the LAN-private side IP(s) for the network traffic between machines. That's what I had to do with IPsec and BalckIce was open the Networking ports on the LAN side behind the WG or the Linksys. And I ahw Windows and Linux machies on my network too. ;-)

I don't have any break-in because the ports are closed by default on the WG and when I do open the FTP ports on the WG, the O-S, files system, IIS etc are secured and harden to attack. I have not opened the ports in a long long time.

Duane :)