[ale] next stupid ipchains question
Wandered Inn
esoteric at atlnet.com
Thu Sep 7 13:44:13 EDT 2000
Joe Knapka wrote:
>
> Wandered Inn wrote:
> That's... interesting. In that case I'd bet that it's a route
> problem. Do all the machines on both subnets have a default
> route pointed at the firewall? If not, they need routes
> telling them to reach the other subnet via the firewall.
I don't see how changing it from masq to accept would stop the
communication all together. I would expect that if there is a routing
problem, it would cause problems either way.
Here are the routes I expect are permitting the communications:
(b.home.edu is the router in question)
for machine 192.168.255.253
default b.home.edu 0.0.0.0 UG 0 0 0 eth0
(b.dmz.edu is the same router referencing it from the other subnet)
for machine 192.168.10.220
192.168.255.0 b.dmz.edu 255.255.255.0 UG 0 0 0 eth1
> > Based on the above, I guess I'll add an '$IPCHAINS -A forward -j DENY
> > -l' ??
>
> Yep. That way you'll get a log event if the packet is denied by
> the firewall. Without the DENY rule, you can't be sure that the
> reason the packet isn't getting to its destination is because
> the firewall is killing it, since when a packet hits the chain
> policy it just gets silently denied.
I tried three things here. First:
$IPCHAINS -A forward -j ACCEPT
$IPCHAINS -A forward -j DENY -l
No communication through the through the router. No logging at all.
Then:
$IPCHAINS -A forward -j MASQ
$IPCHAINS -A forward -j DENY -l
Communication through the router successful, still no logging.
$IPCHAINS -A forward -j MASQ -l
$IPCHAINS -A forward -j DENY -l
Communication through the router, the forwarded masq packets are logged.
>
> -- Joe
>
> *** Joseph Knapka ***
> In any formula, constants (especially those obtained from handbooks)
> are to be treated as variables.
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
--
Until later: Geoffrey esoteric at denali.atlnet.com
Microsoft != Innovation
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list