-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
That was easy -- both Oscar and David seem to have found the cause and the solution of the problem I was having. Checking my firewall with ipchains - -L hung up sometimes when it was doing a reverse-lookup of the IP addresses in the rules, so ipchains -L -n (to prevent the DNS lookup) worked fine. Many thanks to you both! Marc On Thu, 11 Oct 2001, Oscar Pearce wrote: >Looks like a problem with reverse-DNS. Does ipchains -L *chain* -n hang? > >Oscar On Fri, 12 Oct 2001, David Anso wrote: >Run "ipchains -L -n" to stop the DNS trying to lookup the 192 address. It >appears it's all working, but trying to find the DNS name of 192.168.0.0 > >David My original message: >> Hi, > >> I've been trying to configure a firewall using ipchains on a machine >> running pretty much a stock installation of Potato -- I've done the >apt-get >> upgrade but not dist-upgrade. My kernel is the default 2.2.19pre17, and >> given that /proc/net/ip_fwchains exists, I figure it has the appropriate >> support for using ipchains. > >> My problem is this: whenever I use ipchains to try to filter by source >> address, i.e. with -s x.x.x.x/x as an option, something goes wrong. > >> Details (I'll use *chain* to stand for any one of the chains): > >> All the following ipchains commands work properly (i.e. checking with >> ipchains -L returns an intelligible response, and the packet filter seems >> to behave as it should given the ipchains commands): > >> ipchains -F *chain* >> ipchains -P *chain* DENY >> ipchains -A input -i lo -j ACCEPt >> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT >> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT >> ipchains -A input -j DENY -l > >> BUT when I try to filter by source address, e.g. > >> ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY > >> and check with ipchains -L to see my rule set, ipchains -L just seems to >> hang, and prints out just this: > >> Chain input (policy ACCEPT): >> target prot opt source destination ports > > >> I have to hit ctrl-c to get the prompt back. > >> When I look at /proc/net/ip_fwchains, it seems that rules with -s options >> make a change there (i.e. it looks like the rule gets registered there, >> when I check that file with more), but ipchains -L just hangs there. > >> One more complication: this doesn't happen every time. Oddly, sometimes >> my whole firewall script runs and everything works -- I get a proper >> response from ipchains -L. But sometimes it doesn't. I've tried to >> establish a pattern, but other than noting that it seems to be using >> ipchains with the -s option that triggers it, I can't seem to detect >> anything that might indicate why it works sometimes but not others. >> Absolutely maddening. > >> Any ideas? Anything I'm missing, or anywhere else I can check? > >> Thanks, >> Marc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OpenBSD) Comment: For info see http://www.gnupg.org iD8DBQE7xfrDwCp3zWOyN7gRApclAKDTMcSTr75TJfgzza3AeKWhNEheOwCdGbCG Ml8bpusoN/DYpkvC5BSUf8I= =v9zf -----END PGP SIGNATURE-----
