Hi,
I have a very strange problem with a SunScreen cluster. The configuration
is 2 Netra T1's, Solaris 2.8 and EFS 3.1 + patch 109734-04 running in
stealth mode.
As an example I'll use subnet 1.2.3.0/24 for our DMZ. The SunScreen
cluster is between our ISP's router and our DMZ.
Addresses 1.2.3.1, 1.2.3.2 and 1.2.3.3 are assigned to our redundant
router. The 1.2.3.1 address is the virtual address used by the
routers.
I have an address group named 'inside' which consists of the DMZ
subnet 1.2.3.0/24 excluding the 3 IP addresses associated with
the router. This group 'inside' is associated with the DMZ interface
of the SunScreen cluster.
I have an address group named 'outside' which allows any IP addresses
except those specified by 'inside'.
A few months ago there was a need to connect a host between the
SunScreen cluster and our ISP's router. This host was given IP address
1.2.3.90. So address group 'inside' was modified to exclude this
address. When the test was complete I removed 1.2.3.90 from the
'inside' exclude addresses.
This IP address has now been assigned to a host within the DMZ. This
host runs a www server. I add a rule on the SunScreen to allow a
particular host on the Internet to connect to 1.2.3.90 port 80.
These connections fail. When I snoop on the external interface of the
SunScreen I see the TCP SYN packet arriving and a TCP RST packet
being sent back. There is nothing seen on the DMZ interface of the
SunScreen. If I change the address from 1.2.3.90 to some other
available address everything works fine. From this it appears that the
SunScreen is rejecting 1.2.3.90 as it still thinks it is an external
address.
I used the followong script to save my SunScreen configuration to a
file:
#!/bin/sh -x
(
active=`ssadm active | head -1 | awk '{print $5}' | sed 's/\..*$//'`
echo "--- authuser"
ssadm edit $active -c "list authuser"
echo "--- accesslocal"
ssadm edit $active -c "list accesslocal"
echo "--- accessremote"
ssadm edit $active -c "list accessremote"
echo "--- screen"
ssadm edit $active -c "list screen"
echo "--- interface"
ssadm edit $active -c "list interface"
echo "--- rule"
ssadm edit $active -c "list rule"
echo "--- address"
ssadm edit $active -c "list address"
echo "--- service"
ssadm edit $active -c "list service"
) > /tmp/ss_get.out
When I search for 1.2.3.90 in this file the only occurrence is for the
www host definition.
Does anyone have any idea as to what is wrong?
Regards,
Roy
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
