Re: whats wrong with me?

2015-12-01 Thread Krzysztof Strzeszewski
Sorry, I'm beginner. I konow, my message was not logical.


uname -a:
#
OpenBSD hostname 5.8 GENERIC#0 i386
#


virtual server in httpd.conf:
#
server "hostname" {
listen on * port 80
listen on * tls port 443
log { access "access.log", error "error.log" }
tls { certificate "/etc/ssl/server.crt" key 
"/etc/ssl/private/server.key" }
root "/htdocs/hostname"
}
#


port 80 end 443 is open:
# netstat -a |grep http
#
tcp 0   0   localhost.https *.* LISTEN
tcp 0   0   *.https *.* LISTEN
#


in firefox:
#
Secure Connection Falied

An error occurred during a connection to my_domain. Cannot communicate
securely whih peer: no common encryption algorithm(s). (Error code:
ssl_error_no_cypher_overlap)
#


in log from httpd:
#
httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device
#




Krzysztof Strzeszewski



On 30.11.2015 22:31, Alexander Salmin wrote:
> On 2015-11-30 20:52, Krzysztof Strzeszewski wrote:
>> Hi,
>> whats wrong?:
>>
>> httpd: could not parse macro definition SSL
>> httpd[21336]: server_tls_init: failed to configure TLS - failed to read
>> private key: Operation not supported by device
>>
>>
>> Krzysztof Strzeszewski
> Hey Krzysztof,
> 
> Two reasons why you did not receive much feedback on this.
> - You did not supply OpenBSD version (uname -a) so we can't replicate
> with same version.
> - You did not provide httpd.conf(8) so we can't replicate your exact setup.
> 
> A key to good free online OpenBSD support is to; "Always provide as much
> information as possible. Try to pin-point the exact problem. Give clear
> instructions on how to reproduce the problem. Try to describe the
> problem with as much accuracy and non-confusing terminology as possible,
> especially if it is not easy to reproduce." //
> http://www.openbsd.org/report.html
> 
> Continue to fail this and the world will just lead to sadness and despair.
> 
> Alexander



Re: whats wrong with me?

2015-12-01 Thread Alexander Salmin

On 2015-12-01 21:51, Krzysztof Strzeszewski wrote:

Sorry, I'm beginner. I konow, my message was not logical.


uname -a:
#
OpenBSD hostname 5.8 GENERIC#0 i386
#


virtual server in httpd.conf:
#
server "hostname" {
listen on * port 80
listen on * tls port 443
log { access "access.log", error "error.log" }
tls { certificate "/etc/ssl/server.crt" key 
"/etc/ssl/private/server.key" }
root "/htdocs/hostname"
}
#


port 80 end 443 is open:
# netstat -a |grep http
#
tcp 0   0   localhost.https *.* LISTEN
tcp 0   0   *.https *.* LISTEN
#


in firefox:
#
Secure Connection Falied

An error occurred during a connection to my_domain. Cannot communicate
securely whih peer: no common encryption algorithm(s). (Error code:
ssl_error_no_cypher_overlap)
#


in log from httpd:
#
httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device
#


Check the following;

1) Does private key match certificate? Verify this like so
(should result in two exact same sha512 strings);
# openssl x509 -noout -modulus -in server.pem | openssl sha512
# openssl rsa -noout -modulus -in server.key | openssl sha512

2) Is httpd allowed to read key file?
# ls -lhart /etc/ssl/server.crt
# ls -lhart /etc/ssl/private/server.key

3) Check with browser random x on random other operating system y.



Re: whats wrong with me?

2015-11-30 Thread Alexander Salmin

On 2015-11-30 20:52, Krzysztof Strzeszewski wrote:

Hi,
whats wrong?:

httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device


Krzysztof Strzeszewski

Hey Krzysztof,

Two reasons why you did not receive much feedback on this.
- You did not supply OpenBSD version (uname -a) so we can't replicate 
with same version.

- You did not provide httpd.conf(8) so we can't replicate your exact setup.

A key to good free online OpenBSD support is to; "Always provide as much 
information as possible. Try to pin-point the exact problem. Give clear 
instructions on how to reproduce the problem. Try to describe the 
problem with as much accuracy and non-confusing terminology as possible, 
especially if it is not easy to reproduce." // 
http://www.openbsd.org/report.html


Continue to fail this and the world will just lead to sadness and despair.

Alexander



whats wrong

2015-11-30 Thread Krzysztof Strzeszewski
Hi,
whats wrong?:

httpd: could not parse macro definition SSL
httpd[21336]: server_tls_init: failed to configure TLS - failed to read
private key: Operation not supported by device


Krzysztof Strzeszewski



Re: whats wrong with me?

2015-11-30 Thread Michel Behr
Krzysztof, dmesg output could also be helpful for people trying to help you
out.

Interesting how this applies to so many other contexts in our lives -
especially in business and overall management related matters: "Always
provide as much information as possible. Try to pin-point the exact
problem. (...) Try to describe the problem with as much accuracy and
non-confusing terminology as possible, especially if it is not easy to
reproduce."
Many problems become harder because we can't describe them precisely,
and usually because we don't understand how things work or should work in
the first place.
Worst than that: we don't know how "problem solving" works! (and that's
critically important in a group effort like the openbsd project, right?).
The poor soul's understanding is that providing an error message is enough,
without being considerate or aware of the challenges this imposes to the
very people that are willing to help him (which sometimes go as far as to
aggressively provide clear evidences of his ignorance!) - not in this case,
let me be clear!

yes, let's try to describe our problems precisely, and provide more
Information to help our helpers...

Btw (just an idea), maybe there could be a script to save last error
messages, run uname -a save its output, + any other frequently useful info
(dmesg? a sanitized copy of traceroute output?)... I know sendbug(1) does
something along those lines, but I wonder if it would be feasible to do
something similar for "support requests"...?

One of the challenges is that it's hard to separate the demand for OpenBSD
specific knowledge and the lack of understanding over "universal computer
science concepts" like network protocols for example...? And the
correspondent triage of all this in an effective and efficient way.

Anyway, sorry for the ranting, just some thoughts... ("Well, why don't YOU
go there and code this suggested tool, and send us the diff?! Easy to just
give ideas, huh?!") :-) take it easy guys, just ideas...

On Monday, 30 November 2015, Alexander Salmin <alexan...@salmin.biz> wrote:

> On 2015-11-30 20:52, Krzysztof Strzeszewski wrote:
>
>> Hi,
>> whats wrong?:
>>
>> httpd: could not parse macro definition SSL
>> httpd[21336]: server_tls_init: failed to configure TLS - failed to read
>> private key: Operation not supported by device
>>
>>
>> Krzysztof Strzeszewski
>>
> Hey Krzysztof,
>
> Two reasons why you did not receive much feedback on this.
> - You did not supply OpenBSD version (uname -a) so we can't replicate with
> same version.
> - You did not provide httpd.conf(8) so we can't replicate your exact setup.
>
> A key to good free online OpenBSD support is to; "Always provide as much
> information as possible. Try to pin-point the exact problem. Give clear
> instructions on how to reproduce the problem. Try to describe the problem
> with as much accuracy and non-confusing terminology as possible, especially
> if it is not easy to reproduce." // http://www.openbsd.org/report.html
>
> Continue to fail this and the world will just lead to sadness and despair.
>
> Alexander



whats wrong with my iwi still ieee80211: nwid -50dBm

2007-03-19 Thread Jay Jesus Amorin

#dmesg

OpenBSD 4.0 (GENERIC) #1: Mon Mar 19 00:36:34 PHT 2007
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) M processor 1.50GHz (GenuineIntel
686-class) 1.50 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF
real mem  = 795308032 (776668K)
avail mem = 716935168 (700132K)
using 4256 buffers containing 39866368 bytes (38932K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ff) BIOS, date 07/08/05, BIOS32 rev. 0 @
0xfd710, SMBIOS rev. 2.31 @ 0xdf010 (19 entries)
bios0: Hewlett-Packard Presario M2000 (PV328PA#UUF)
pcibios0 at bios0: rev 2.1 @ 0xfd710/0x8f0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xf200! 0xcf800/0x1000 0xdf000/0x800! 0xe/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82915GM/PM/GMS Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel 82915GM/GMS Video rev 0x03:
aperture at 0xb008, size 0x1000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Intel 82915GM/GMS Video rev 0x03 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 3
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 3
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 4
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 10
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 3
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xd3
pci1 at ppb0 bus 1
rl0 at pci1 dev 0 function 0 Realtek 8139 rev 0x10: irq 10, address
00:c0:9f:90:0f:6f
rlphy0 at rl0 phy 0: RTL internal PHY
iwi0 at pci1 dev 6 function 0 Intel PRO/Wireless 2200BG rev 0x05:
irq 4, address 00:12:f0:c7:30:a9
cbb0 at pci1 dev 9 function 0 TI PCI7XX1 CardBus rev
0x00pci_intr_map: no mapping for pin A
: couldn't map interrupt
TI PCI7XX1 FireWire rev 0x00 at pci1 dev 9 function 2 not configured
TI PCI7XX1 Flash rev 0x00 at pci1 dev 9 function 3 not configured
sdhc0 at pci1 dev 9 function 4 TI PCI7XX1 Secure Data rev 0x00: irq 11
sdmmc0 at sdhc0
sdmmc1 at sdhc0
sdmmc2 at sdhc0
auich0 at pci0 dev 30 function 2 Intel 82801FB AC97 rev 0x03: irq 5, ICH6 AC97
ac97: codec id 0x43585430 (Conexant CX?)
ac97: codec features reserved, headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
audio0 at auich0
Intel 82801FB Modem rev 0x03 at pci0 dev 30 function 3 not configured
ichpcib0 at pci0 dev 31 function 0 Intel 82801FBM LPC rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x03: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: FUJITSU MHV2080AT
wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 ignored (disabled)
ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x03: irq 3
iic0 at ichiic0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
biomask efdd netmask efdd ttymask ffdf
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
auich0: measured ac97 link rate at 48007 Hz, will use 48000 Hz
uhidev0 at uhub1 port 1 configuration 1 interface 0
uhidev0: Logitech USB-PS/2 Optical Mouse, rev 2.00/20.00, addr 2, iclass 3/1
ums0 at uhidev0: 3 buttons and Z dir.
wsmouse1 at ums0 mux 0
umass0 at uhub4 port 1 configuration 1 interface 0
umass0: vendor 0x0457 product 0x0151, rev 2.00/1.00, addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets
sd0 at scsibus0 targ 1 lun 0: USBest, USB2FlashStorage, 0.00 SCSI2
0/direct removable
sd0: 1000MB, 1000 cyl, 64 

Re: whats wrong with my iwi still ieee80211: nwid -50dBm

2007-03-19 Thread Kurt Miller
On Monday 19 March 2007 6:51:37 am Jay Jesus Amorin wrote:
 iwi0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:12:f0:c7:30:a9
 media: IEEE802.11 autoselect
 status: no network
 ieee80211: nwid my_net nwkey 0x1deadbeef1 -50dBm
 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
 inet6 fe80::212:f0ff:fec7:30a9%iwi0 prefixlen 64 scopeid 0x2

It not 'UP' but I doubt that's the problem. I've noticed
iwi has trouble after changing nwid and/or nwkey. Rebooting
works. This weekend I noticed an access point scan also seems
to kick the card into recognizing the changed values. Try:

ifconfig iwi0 up
ifconfig -M iwi0

-Kurt



Re: Unable to reach server in dmz. Whats wrong?

2006-01-20 Thread Jonas Lindskog
Abraham Al-Saleh wrote:

On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server. And
thus we have three network interfaces installed in the router: one for
the NAT, one for the DMZ and one for the external net.

Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:

Segment: 38.87.5.112 /28
net address:   38.87.5.112
gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.

I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway

(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.

/Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)

ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0

icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
\ 224.0.0.0/3, 255.255.255.255}

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port
8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122
port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122
port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
 user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact pass
out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces 
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE



Unable to reach server in dmz. Whats wrong?

2006-01-10 Thread Jonas Lindskog

Hello,

We are using OpenBSD 3.8 as a firewall/router. We have two internal 
nets; one with workstations (NAT) and one DMZ with a single server.
And thus we have three network interfaces installed in the router: one 
for the NAT, one for the DMZ and one for the external net.


Our ISP has given us a range of IP adresses (the ones below are 
obfuscated ;)):


Segment: 38.87.5.112 /28 
net address:   38.87.5.112

gateway adress:   38.87.5.113
firewall:  38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask:  255.255.255.240

I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122

netmask:  255.255.255.252

To ensure that routing worked properly I just entered pass (and nat of course) in the /etc/pf.conf file. 

I have no trouble connecting to the server at 38.87.5.122 from the 
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a 
routing problem but when I entered a port redirect from the gateway


(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached the server. I haven't got a 
clue whats wrong. Can anybody help to explain this or have an idea of a workaround (I dont want the port

redirect)? Thanks in advance.

/Jonas



Re: Unable to reach server in dmz. Whats wrong?

2006-01-10 Thread Abraham Al-Saleh
On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:
 Hello,

 We are using OpenBSD 3.8 as a firewall/router. We have two internal
 nets; one with workstations (NAT) and one DMZ with a single server.
 And thus we have three network interfaces installed in the router: one
 for the NAT, one for the DMZ and one for the external net.

 Our ISP has given us a range of IP adresses (the ones below are
 obfuscated ;)):

 Segment: 38.87.5.112 /28
 net address:   38.87.5.112
 gateway adress:   38.87.5.113
 firewall:  38.87.5.114
 fria fasta ip: 38.87.5.115-126
 broadcast address:38.87.5.127
 netmask:  255.255.255.240

 I have set up the DMZ with
 net adress 38.87.5.120
 Gateway: 38.87.5.121
 Server: 38.87.5.122

 netmask:  255.255.255.252

 To ensure that routing worked properly I just entered pass (and nat of 
 course) in the /etc/pf.conf file.

 I have no trouble connecting to the server at 38.87.5.122 from the
 internal net where nat-addresses are used, but for some reason
 I cant connect to the server from the outside. I thought it was a
 routing problem but when I entered a port redirect from the gateway

 (38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached the 
 server. I haven't got a
 clue whats wrong. Can anybody help to explain this or have an idea of a 
 workaround (I dont want the port
 redirect)? Thanks in advance.

 /Jonas


It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)



Re: Unable to reach server in dmz. Whats wrong?

2006-01-10 Thread Bryan Irvine
 Our ISP has given us a range of IP adresses (the ones below are
 obfuscated ;)):

 Segment: 38.87.5.112 /28
 net address:   38.87.5.112
 gateway adress:   38.87.5.113
 firewall:  38.87.5.114
 fria fasta ip: 38.87.5.115-126
 broadcast address:38.87.5.127
 netmask:  255.255.255.240

 I have set up the DMZ with
 net adress 38.87.5.120
 Gateway: 38.87.5.121
 Server: 38.87.5.122

 netmask:  255.255.255.252

 To ensure that routing worked properly I just entered pass (and nat of 
 course) in the /etc/pf.conf file.

 I have no trouble connecting to the server at 38.87.5.122 from the
 internal net where nat-addresses are used, but for some reason
 I cant connect to the server from the outside. I thought it was a
 routing problem but when I entered a port redirect from the gateway


I suspect it may still be a routing problem.  You have a range of 13
available IP's from your ISP, but according to the subnet they are all
on the same network.  Unless I've mis-read something (which happens
often) you need to have the ISP split your range into 2 networks* and
set the router located at 38.87.5.113 to route the next hop of the
second network to your firewall.

* note you will lose a couple of ip's by doing that.

A simple way to test would be to move the 38.87.5.122 machine to the
same network as the firewall (so that it's no longer being firewalled)
and see if you can get to it.


--Bryan