In message <[EMAIL PROTECTED]>, "David A. Ranch
" writes:
>
> >Dec 6 13:02:28 ann kernel: IP fw-in deny lo TCP 127.0.0.1:6251 192.168.0.1:
>25
>
> >L=7168 S=0x00 I=58486 F=0x0040 T=64
> >
> >I am at a loss on how to fix this. Any help appreciated. This is a
> >dynamic addressed PPP link, Red Hat 5.1 on an Alpha LX164 and
> >ipfwadm-2.3.0-5.
>
>
> It looks like your loopback network is denying DNS traffic:
>
> - First, check to see if you do have DNS running:
>
> ps aux | grep named
>
>
> If it's running, your IPFWADM ruleset is not configured properly.
> Post your IPFWADM ruleset and we'll fix it.
>
> Until then, basicaly, you need the following ruleset pair (its
> all covered in the TrinityOS doc):
>
> /sbin/ipfwadm -I -a accept -V 127.0.0.1 -S $universe -D $universe
> /sbin/ipfwadm -O -a accept -V 127.0.0.1 -S $universe -D $universe
This is what I have so far. I don't know if it is any good or not. I don't
even remember from whom I stole^H^H^H^H^Hborrowed it from.
# Default policy of accept for input rules (isn't this one the
default?)
ipfwadm -I -p accept
# Now the basics: default policy of 'deny' for firewall,
# add 'accept' only for my local domain (192.168.0.0) PLUS the
# masquerade switch (-m), oh.. and bidirectional too :)
#
ipfwadm -F -p deny
ipfwadm -F -a accept -S 192.168.0.0/24 -D 0.0.0.0/0 -b -m -v
# Anything so far is enough, but some more rules aren't that bad...
# Avoid some 'smart' guy trying to hack the firewall to
# masquerade/re-route his/her packets.
#
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
ipfwadm -I -a deny -P icmp -D 192.168.0.0 -S 0/0 0 8
ipfwadm -I -a deny -P icmp -D 192.168.0.255 -S 0/0 0 8
# Packets that are usually to be avoided routing outside...
ipfwadm -I -a accept -S 127.0.0.0/24 -D 127.0.0.0/24 -Wlo -v
ipfwadm -I -a deny -S 127.0.0.0/24 -D 0.0.0.0/0 -o
# Masquerade from local net on local interface to anywhere.
ipfwadm -F -a accept -m -W ppp0 -S 192.168.0.0/24 -D 0.0.0.0/0
ipfwadm -F -a accept -m -S 192.168.0.0/24 -D 0.0.0.0/0
Bob
--
+---------------------------------------------------------------+
| Bob Taylor Email: [EMAIL PROTECTED] |
|---------------------------------------------------------------|
| Like the ad says, at 300 dpi you can tell she's wearing a |
| swimsuit. At 600 dpi you can tell it's wet. At 1200 dpi you |
| can tell it's painted on. I suppose at 2400 dpi you can tell |
| if the paint is giving her a rash. (So says Joshua R. Poulson)|
+---------------------------------------------------------------+
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
