>From: Roy Culley <[EMAIL PROTECTED]> > >Hi, > [...] >I have an address group named 'outside' which allows any IP addresses >except those specified by 'inside'. > >A few months ago there was a need to connect a host between the >SunScreen cluster and our ISP's router. This host was given IP address >1.2.3.90. So address group 'inside' was modified to exclude this >address. When the test was complete I removed 1.2.3.90 from the >'inside' exclude addresses.
Hi Roy - By any chance, did you also add 1.2.3.90 to "outside" at this time? If so, SunScreen will still think that it belongs there, and is likely dropping the traffic as being spoofed. SunScreen 3.1 determines that a packet is "spoofed" if it arrives on one interface, but according to your interface address groups, it belongs to another interface. (you get spoof protection, btw, by accurately configuring address groups associated to your interfaces, which is required in Stealth mode to ensure that packets are sent out the right interface). >Does anyone have any idea as to what is wrong? I would guess that spoof detection is getting you. To further debug this, turn on logging on your interfaces, then examine your logs. It will give the reason for dropping the packet as either "Deny or no pass rule" (errorcode 256) or "Invalid source address "(errorcode 272) hope that helps Valerie -- Now appearing as Beth Beam in: "Dilemma at the Toll Road Inn" and the Gaslighter Theater's Nearly World Famous Vaudeville Revue! http://www.gaslighter.com/ Now - New Year's Eve. Tix: 408.866.1408 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
