Paring your response down to the one thing that needs an answer ...
At 04:15 PM 12/26/01 -0500, Kory Krofft wrote:
[...]
>> My earlier suggestion was for you to look at the actual ipchains rules that
>> *result* from the default configuration, not to look at the portions of the
>> config scripts that the user commonly edits. If you run on your LEAF router
>> the command "ipchains -L -n", you'll get a readable bt incomplete list of
>> your firewall rules as actually implemented. The command "ipchains -L -n -v"
>> will give a complete listing, but a harder to read one. Read through the
>> rules in sequence (concentrate on the input chain) to find any rules that
>> handle ICMP type 8 (ping) traffic coming from the DMZ's network range, and
>> see what they say.
>
>Like these?
># ipchains -L -n
>Chain input (policy DENY):
>target prot opt source destination
>ports
>DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5
>-> *
>DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13
>-> *
>DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14
>-> *
Almost. These DENY icmp packet types 5, 13, and 14 (the numbers all the way
at the right, the icmp analogs to TCP/UDP port numbers). ping traffic is type 8.
The later list of rules you posted (not quoted here) are *probably* what
governs the relevant traffic. This ACCEPT rule should forward ping traffic
*to* host on the DMZ --
>ACCEPT icmp ------ 0.0.0.0/0 192.168.10.0/24 *
>-> *
-- but there is no equivalent rule to forward icmp/8 traffic *from*
DMZ hosts, so the final DENY rule stops it. This is just guesswork, though
... ipchains rules function as a set, so you need to read them in order and
find the *first* rule that matches a packet, -NOT- the most specific rule
(and you need to see the complete form of the rule, as I mention below).
That said, this block of rules puzzles me --
>ACCEPT tcp ------ 1.1.1.0/27 0.0.0.0/0 *
>-> *
>ACCEPT icmp ------ 1.1.1.0/27 0.0.0.0/0 *
>-> *
>ACCEPT udp ------ 1.1.1.0/27 0.0.0.0/0 53
>-> *
>MASQ udp ------ 1.1.1.0/27 0.0.0.0/0 *
>-> *
1.1.1.0/27 looks suspiciously like a dummy entry to me, possibly one for a
DMZ somewhere later in /etc/network.conf . If these forward-chain rules
applied to a DMZ, they would be a bit inconsistent (some assume a public
address, but the last one assumes a private address) but they would probably
open up network 1.1.1.0/27 to the Internet (you need to examine the
"ipchains -L -n -v" complete listing of the rules to be sure).
>Looks to me like it does indeed block the ping traffic. Any suggestions
>as
>to how to test the DMZ from inside once I start to work on it?
Not without knowing a lot more than I do about your setup. One cannot test
whether a DMZ works properly without knowing what services it is supposed to
provide.
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
