Gary Dodge wrote: > Internet (dsl) > | > |_____Eth0 Firewall > ________________|_________________________ > | | | > Eth1 Eth2 Eth3 > (192.168.1.254) (10.10.10.254) (192.168.2.254) > | | | > HUB HUB HUB > | | | > (192.168.1.1) (10.10.10.0/24) (192.168.2.1) > win2k server(proxy) (workgroup not (terminal server) > (192.168.0.1) connected to (192.168.0.2) > | file server) | > | | > |_____________________________(switch)_____| > ||||||| > (35 workstations) > (dhcp assigned by 2k server) >
I tried to fix your post Gary. Why? Good organic french roast, of course :) Is this what you had originally drawn up? I, for one, read email in Mozilla. So I enjoy the wide post. > the 10.10.10.0/24 sub net is a group of workstations that are NOT allowed to > connect to either server. > > the terminal server is to be accessed through the terminal server client > connection port, both on the internal network and from the internet. > > > I hope this art makes sense. > > so far I have only been able to > 1) Ping all internal IP's on firewall from all internal subnets connected. > 2) Subnet 192.168.1.1 works fine, as will any internal sub net that is the > loaded last in the INTERN_NET= variable i.e.: > INTERN_NET=192.168.1.0/24 10.10.10.0/24 > > In this example the 10.10.10.0/24 subnet will reach the internet and the > 192.168.1.0/24 will not, if I reverse the order the results are reversed. > > here is the output from net ipfilter list, I hope its not too much. > > Chain input (policy DENY: 0 packets, 0 bytes): > pkts bytes target prot opt ifname source destination >ports > 0 0 DENY icmp ----l- * 0.0.0.0/0 0.0.0.0/0 5 >-> * > 0 0 DENY icmp ----l- * 0.0.0.0/0 0.0.0.0/0 13 >-> * > 0 0 DENY icmp ----l- * 0.0.0.0/0 0.0.0.0/0 14 >-> * > 0 0 DENY all ----l- eth0 0.0.0.0 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 255.255.255.255 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 127.0.0.0/8 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 224.0.0.0/4 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 10.0.0.0/8 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 172.16.0.0/12 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 192.168.0.0/16 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 0.0.0.0/8 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 128.0.0.0/16 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 191.255.0.0/16 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 192.0.0.0/24 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 223.255.255.0/24 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 240.0.0.0/4 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 10.10.10.0/24 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 192.168.1.0/24 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 12.254.188.16 0.0.0.0/0 >n/a > 0 0 REJECT all ----l- eth0 0.0.0.0/0 127.0.0.0/8 >n/a > 0 0 REJECT all ----l- eth0 0.0.0.0/0 10.10.10.0/24 >n/a > 0 0 REJECT all ----l- eth0 0.0.0.0/0 192.168.1.0/24 >n/a > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 137 > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 135 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 137 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 135 > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 138:139 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 138 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 137:138 >-> * > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 135 >-> * > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 137:139 >-> * > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 135 >-> * > 0 0 ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 80 > 0 0 ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 25 > 0 0 ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 110 > 0 0 ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 21 > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 113 > 432 209K ACCEPT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 1024:65535 > 0 0 REJECT udp ----l- eth0 0.0.0.0/0 0.0.0.0/0 * >-> 161:162 > 0 0 ACCEPT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 53 > 0 0 ACCEPT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 68 > 0 0 DENY udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 67 > 15 4637 ACCEPT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 1024:65535 > 0 0 ACCEPT icmp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> * > 0 0 ACCEPT ospf ------ eth0 0.0.0.0/0 0.0.0.0/0 >n/a > 0 0 DENY all ----l- eth0 0.0.0.0/0 0.0.0.0/0 >n/a > 0 0 REJECT udp ----l- * 0.0.0.0/0 0.0.0.0/0 * >-> 161:162 > 0 0 REJECT udp ----l- * 0.0.0.0/0 0.0.0.0/0 161:162 >-> * > 669 57190 ACCEPT all ------ * 0.0.0.0/0 0.0.0.0/0 >n/a > Chain forward (policy DENY: 0 packets, 0 bytes): > pkts bytes target prot opt ifname source destination ports > 0 0 DENY icmp ----l- * 0.0.0.0/0 0.0.0.0/0 5 -> * > 161 9660 MASQ all ------ eth0 10.10.10.0/24 0.0.0.0/0 n/a > 431 40770 MASQ all ------ eth0 192.168.1.0/24 0.0.0.0/0 n/a > 0 0 DENY all ------ * 0.0.0.0/0 0.0.0.0/0 n/a > Chain output (policy DENY: 0 packets, 0 bytes): > pkts bytes target prot opt ifname source destination >ports > 1091 275K fairq all ------ * 0.0.0.0/0 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 0.0.0.0 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 255.255.255.255 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 127.0.0.0/8 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 224.0.0.0/4 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 10.0.0.0/8 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 172.16.0.0/12 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 192.168.0.0/16 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 0.0.0.0/8 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 128.0.0.0/16 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 191.255.0.0/16 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 192.0.0.0/24 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 223.255.255.0/24 0.0.0.0/0 n/a > 0 0 DENY all ----l- eth0 240.0.0.0/4 0.0.0.0/0 n/a > 0 0 DENY all ------ eth0 10.10.10.0/24 0.0.0.0/0 n/a > 0 0 DENY all ------ eth0 192.168.1.0/24 0.0.0.0/0 n/a > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 137 > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 135 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 137 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 135 > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 138:139 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 * >-> 138 > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 137:138 >-> * > 0 0 REJECT udp ------ eth0 0.0.0.0/0 0.0.0.0/0 135 >-> * > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 137:139 >-> * > 0 0 REJECT tcp ------ eth0 0.0.0.0/0 0.0.0.0/0 135 >-> * > 1091 275K ACCEPT all ------ * 0.0.0.0/0 0.0.0.0/0 n/a > Chain fairq (1 references): > pkts bytes target prot opt ifname mark source destination ports > 0 0 RETURN ospf ------ * 0x1 0.0.0.0/0 0.0.0.0/0 n/a > 0 0 RETURN ospf ------ * 0x1 0.0.0.0/0 0.0.0.0/0 n/a > 0 0 RETURN udp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 520 > 0 0 RETURN udp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 520 -> * > 0 0 RETURN tcp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 179 > 0 0 RETURN tcp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 179 -> * > 0 0 RETURN tcp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 > 0 0 RETURN tcp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * > 15 1331 RETURN udp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 > 4 399 RETURN udp ------ * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * > 0 0 RETURN tcp ------ * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 23 > 0 0 RETURN tcp ------ * 0x2 0.0.0.0/0 0.0.0.0/0 23 -> * > 0 0 RETURN tcp ------ * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 22 > 0 0 RETURN tcp ------ * 0x2 0.0.0.0/0 0.0.0.0/0 22 -> * > > > > any suggestions, comments, etc. would be of great help and appreciated. > even if a solution includes starting over with a new perspective. Check that I got this right. If so, cut the ipfilter rules out, because they're listed above, and then include netstat -rn ifconfig -a on any host involved with your example that's at issue. Include the exact ping command you used and the exact output. Check you syslog to see if any packets are being denied. Regards, Matthew > Thanks, > Gary _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
