RE: Problems with ipchains

Fri, 12 May 2000 09:08:14 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Hi,
> 
> Thank you to everyone who helped me find some resources to 
> get me started 
> with setting up a firewall.  I've decided to use ipchains to 
> do my packet 
> filtering, but I've come across a problem that I can't seem 
> to figure out.
> 
> I was just trying to add some rules for packet filtering 
> using ipchains.  
> When I have the defaults set to ACCEPT, I can ping other 
> computers in my 
> network.  The packet comes back and everything is just fine 
> and dandy, but 
> once I change the defaults to DENY and start adding rules, 
> things get pretty 
> weird.
> 
> Here's the problem.  When I attempt to ACCEPT all protocols between
> computers in my network:
> 
> /sbin/ipchains -A input -j ACCEPT -p all -s 192.168.0.1/24 -d 
> 192.168.0.1/24
> /sbin/ipchains -A ouput -j ACCEPT -p all -s 192.168.0.1/24 -d 
> 192.168.0.1/24
> 
> ping does not work.

First problem - by specifying the /24, you have said that you are a
Class C network.  Which means that the full line should be:

/sbin/ipchains -A input -j ACCEPT -p all -s 192.168.0.0/24 -d
192.168.0.0/24 

Secondly, the destination might want to be that machines address.  i.e.
if you are doing firewalling on 192.168.0.1, you might want to use "-d
192.168.0.1" (note the lack of "/24"), and if being done on
192.168.0.64, it would be "-d 192.168.0.64".

> When I specify the ICMP protocol:
> 
> /sbin/ipchains -A input -j ACCEPT -p icmp -s 192.168.0.1/24 -d
> 192.168.0.1/24
> /sbin/ipchains -A input -j ACCEPT -p icmp -s 192.168.0.1/24 -d
> 192.168.0.1/24
> 
> ping works.
> 
> So, the question is:  Why does my system need to have the 
> ICMP protocol
> accepted explicitly??  I mean, when I specify "-p all" (all 
> protocols), is 
> that NOT ALL-INCLUSIVE??

It is...  try what's stated above, and reply back to the newsgroup 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBORsDDPWPEBDMsfC4EQIhiQCfcfhhaSufe4HEML+ZtmgM5uUCY9AAn0SX
mP17SjbbBx9Ku47XPFBQQCnV
=Ig5v
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to