Re: [masq] bad rules shutdown telnet or ping?

Wed, 30 Sep 1998 07:08:57 -0400 

At 09:47 PM 9/29/98 -0500, you wrote:
>I've got a machine with the following network interfaces:
>
>eth0 - internet (a static ip)
>eth1 - in house network 192.168.1.1
>ppp0 - dialup server  192.168.1.200 - server  192.168.1.201 - client
>
>ppp0 is dialed into from another Linux machine that provides internet
>access for another network masquerading through the ppp interface so I end
>up with the following:
>
>network #2 - eth0 - Linux+masq - ppp - Linux+masq - eth0 - internet
>                                                          !    
>network #1 - eth1 --------------------------+
>
>However, for some reason I cannot seem to ping or access the client Linux
>machine dialing into the Linux server.
>
>The Linux client and clients under it CAN access the internet fine. But I
>cannot seem to go back the other direction.
>
>If I ping the client Linux machine I see the modem TX light flash as it
>attempts to ping the Linux machine dialing in via ppp but the RX light
>never flashes, so I know the response is not being filtered out as it
returns.
>
>My question is, is it possible to create somehow a rule that prevents a
>ping from being replied to?

Yes, if you are filtering the incomming or outgoing packet, the ping won't
receive it's reply. 

>I have almost identical sets of rules on the main(server) Linux box except
>for an extra set to allow traffic from the ppp0 interface to pass to eth0
>in addition to the passing of information from eth1 to eth0 and there is no
>problem pinging eth0 or telnet'ing to eth0.
>
>Brett Gilbert
>[EMAIL PROTECTED]
Add '-o' to all of your 'deny' rules, and add the following rule to the end
of each of your rule lists (assuming that deny is your default policy, of
course):
ipfwadm -I -a deny -S 0.0.0.0/0 -o

Basically, this rule says 'deny everything, and log it'. If it's at the end
of your rule list, then anything that gets through all your other rules
will hit it, and will be logged. 

So, if you have -o on the end of every deny rule, then you can try the ping
and the logs will tell you if you are stomping the packet with your
masqerade rules.

Good luck!

Michael Kohne
[EMAIL PROTECTED]
"Evolution is God's version of domino rally"

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to