'RE: Binding Multiple Addresses on Network Interface with BSDI v3.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gauntlet-user
Subject:    RE: Binding Multiple Addresses on Network Interface with BSDI v3.0
From:       Wilson Heng <wilson_heng.pt () cemtecasia ! com ! sg>
Date:       1997-10-21 18:48:22
[Download RAW message or body]

Thanks Patrick and the rest of the people for your help. I have configured
as what you mentioned, that is, modified the packet screen rules.

However, I realised that this did not solve the problem. Hence, I would like
to know if anyone has tried with Gauntlet v4.0 on BSDI v3.0. IP aliasing works
with just BSDI v3.0 alone, and it stops working when Gauntlet v4.0 is installed.

Any comments ?

Thanks in advance.

Best Regards,
... Wilson ...


Subject : Re: Binding Multiple Addresses on Network Interface with BSDI v3.0
*Patrick Belliotti (pbelliot@radium.ncsc.mil) wrote>

Wilson Heng wrote:
> 
> Dear all,
> 
> Has anyone tried the above ? That is, binding multiple
> addresses on a network interface, say, external interface, of
> Gauntlet BSDI firewall ?
> 
> This works perfectly on Solaris v2.5.1, but not with BSDI v3.0.
> I could not ping the alias IP addresses at all.
> 
> Is this a BSDI or Gauntlet problem ?
> 

(ASSUMPTION:  Gauntlet 3.2--I haven't seen 4.? yet.)

Sounds like it could be Gauntlet's packet screen denying it.

To test this, with a ping to the aliased IP running (and failing), type
this at the Gauntlet console (WARNING:  Not if it's a busyy box or if
you're not at the console itself--slows the system a lot):

ipfs -t on ; sleep 5 ; ipfs -t off

(This is how I carefully do a brief ipfs trace--you don't have to be so
paranoid).

Anyway, my guess is you'll see the ping's being denied.

The old authenIP: method of fixing this would be a permit-local for the
new (aliased) IP addresses.  There may be other ways with netconfig??
lines, too.  

If you want the proxies to work to these new aliased addresses, you'll
need absorb-forward rules, too.

pjb

> Thanks in advance.
> 
> Best Regards,
> ... Wilson ...

-- 
  |  Patrick Belliotti
  |  Computer Scientist
  |  
  |  Content of this is all my idea, and
  |  not necessarily accurate or factual.
>>End of message

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic