Looks like a problem with reverse-DNS. Does ipchains -L *chain* -n hang? Oscar
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<< On 10/11/2001, 2:38:08 PM, Marc Ozon <[EMAIL PROTECTED]> wrote regarding Help with ipchains on Potato -- problem with -s?: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > Hi, > I've been trying to configure a firewall using ipchains on a machine > running pretty much a stock installation of Potato -- I've done the apt-get > upgrade but not dist-upgrade. My kernel is the default 2.2.19pre17, and > given that /proc/net/ip_fwchains exists, I figure it has the appropriate > support for using ipchains. > My problem is this: whenever I use ipchains to try to filter by source > address, i.e. with -s x.x.x.x/x as an option, something goes wrong. > Details (I'll use *chain* to stand for any one of the chains): > All the following ipchains commands work properly (i.e. checking with > ipchains -L returns an intelligible response, and the packet filter seems > to behave as it should given the ipchains commands): > ipchains -F *chain* > ipchains -P *chain* DENY > ipchains -A input -i lo -j ACCEPt > ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT > ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT > ipchains -A input -j DENY -l > BUT when I try to filter by source address, e.g. > ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY > and check with ipchains -L to see my rule set, ipchains -L just seems to > hang, and prints out just this: > Chain input (policy ACCEPT): > target prot opt source destination ports > I have to hit ctrl-c to get the prompt back. > When I look at /proc/net/ip_fwchains, it seems that rules with -s options > make a change there (i.e. it looks like the rule gets registered there, > when I check that file with more), but ipchains -L just hangs there. > One more complication: this doesn't happen every time. Oddly, sometimes > my whole firewall script runs and everything works -- I get a proper > response from ipchains -L. But sometimes it doesn't. I've tried to > establish a pattern, but other than noting that it seems to be using > ipchains with the -s option that triggers it, I can't seem to detect > anything that might indicate why it works sometimes but not others. > Absolutely maddening. > Any ideas? Anything I'm missing, or anywhere else I can check? > Thanks, > Marc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (OpenBSD) > Comment: For info see http://www.gnupg.org > iD8DBQE7xfUmwCp3zWOyN7gRAneuAKCggnQ7MIp4sxeEOg2AwUUjRR023wCfVBN6 > kqYlSNPq9dNOkqiGLnCWDqc= > =9M/Z > -----END PGP SIGNATURE----- > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
