'Re: Newbie help on Solaris 8'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Newbie help on Solaris 8
From:       Doug Silver <dsilver () quantified ! com>
Date:       2001-04-30 17:45:42
[Download RAW message or body]

Oops, you were absolutely right.  I added this:

pass out       on dpfe0 proto icmp all keep state group 20

but still no dice.  I'm running 'ipmon -o I' but it's not reporting
anything.  The odd thing is from the test box, traceroute doesn't resolve
the path properly:
traceroute 192.168.10.25
traceroute to 192.168.10.25 (192.168.10.25), 30 hops max, 38 byte packets
 1  * *
[root@foobar ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.20.10   0.0.0.0         255.255.255.255 UH        0 0          0
eth0
192.168.20.0    0.0.0.0         255.255.255.0   U         0 0          0
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0
lo
0.0.0.0         192.168.20.1    0.0.0.0         UG        0 0          0
eth0

Any other suggestions?

Thanks!

-doug

On Mon, 30 Apr 2001, Rob MacGregor wrote:

> >From: Doug Silver <dsilver@quantified.com>
> >
> >I'm trying to migrate from ipchains to ipfilter, so I'm still getting used
> >to ipfilters commands/etc, but I can't get the firewall working.  My
> >current setup is as follows.
> >Netra with Solaris 8, as the firewall.  I have a RH 6.2 box connected 
> >directly
> >to its second interface and I've successfully ssh'd in from the
> >firewall.  However, I can't ping or anything from the RH box to another
> >box on my internal network, e.g. ping 192.168.10.25.
> >
> >IPs - firewall 192.168.10.245 (dpfe0), 192.168.20.1 (dpfe1)
> >       rh box is 192.168.20.10
> >
> >Here are my rules and nat:
> >pass in log quick on dpfe0 all
> >
> >block out log quick on dpfe0 all head 20
> >
> >    pass out log quick on dpfe0 proto tcp from 192.168.20.0/24 to any port
> >= 20 flags S keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to any port = 21
> >flags S keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to any port = 22
> >flags S keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to any port = 80
> >flags S keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to any port =
> >443 flags S keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to any port = 25
> >keep state group 20
> >    pass out quick on dpfe0 proto tcp from 192.168.20.0/24 to
> >192.168.10.0/24 port = 53 flags S keep state group 20
> >    pass out quick on dpfe0 proto udp from 192.168.20.0/24 to
> >192.168.10.0/24 port = 53         keep state group 20
> >    pass out       on dpfe0 proto udp from 192.168.20.0/24 to any port
> >33434 >< 33690 keep state group 20
> 
> Nothing about ICMP which is what ping uses...  Need to add rules for that.
> 
> Rob
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> 
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Doug Silver
619 235-2665
Quantified Systems, Inc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic