I have a couple of cameras that sit in the top of the house and watch the road and field opposite. I replaced the server that runs them, with a Raspberry Pi, and that was all working OK. But in the course of replacing the Sonicwall with the Pix, I must have done something silly, and the cam system wasn't working any more. I could use it from inside the house, but not log into it from outside. And the reason it failed, was that I'd done something excessively complicated to reduce the need for external IP addresses; I'd made it so that you accessed it via port 81 on another IP address, then the Pix was supposed to redirect from there, to port 80 (the port used for web service) on the cam.
I struggled mightily to get it working again, to no avail. And then I stopped digging the hole deeper, stepped back and thought about it. I can get the same effect, by keeping the Pi upstairs for controlling the cams, using Samba to allow other computers to share the pictures they take, and having the web server on the other address I'd been using. So I did that.
But that meant sharing across the new firewall. And the Pix has a big flaw. If it blocks an access, it tells you which rule was broken, which computer was the source of the request, and the destination. But it doesn't tell you which port, and I don't see how to make it tell. So I installed tcpdump, which shows you every packet coming into or out of the computer you run it on. To get sense out of it, you have to tell tcpdump not to display all the stuff you already know about, so it's a command like this ...
tcpdump not src computer1 and not dst computer1 and not src computer2 and not dst computer2
... where computer1 and computer2 are computers that are having so much traffic with the computer you're trying to watch that you can't see the info you need.
That told me which port Samba was using, it's port 445. So I told the firewall to allow that. But it still didn't work. I changed the Samba configuration so that it spewed out lots of information into a log file, and looked at that - it said that there was no such user. So I changed the way it recognises users, and then it said there was no such password. So I tried to run smbpasswd, which is how you tell Samba what password to accept, but smbpasswd wasn't on the computer, so I had to get it.
apt-get install samba-common-bin
And after I'd got that, and made a password, I was able to share the files on the Pi that takes the pictures, with the computer that was going to be the web server.
But then Apache wouldn't let anyone see the pictures, and after a bit more research, I discovered that to get Apache to serve up files that are being shared by another computer, you need this:
So I did that, and it all worked!
And you know what?
They actually pay people to do this sort of thing. Please don't tell them that we'd do it just for fun.