(no subject)

[Gary Ferrer]

Hi Valerie,   I am using NAT on the screen.  Here's the rule: 1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet" These are my addresses: "dnet0.net" RANGE 24.76.40.0 24.76.43.255 "dns-server" HOST 24.69.255.195 "ferrer_dnet0" GROUP { } { } "ferrer_iprb1" GROUP { } { } "gary" HOST 192.168.0.4 COMMENT "Garys PC" "Internet" GROUP { "*" } { "iprb1.net" } "iprb1.net" RANGE 192.168.0.1 192.168.0.10 "linuxbox" HOST 192.168.0.3 "melody" HOST 192.168.0.2 COMMENT "Melodys PC" "private" GROUP { "melody" "gary" "linuxbox" } { } COMMENT "" "publicIP" GROUP { "localhost" } { "sunbox" } "sunbox" HOST 192.168.0.5 DNS can resolve www.myweb&firewall.com from www.myweb&firewall.com but not from internal clients (requests times out but does come up with the correct IP).  Snoop on the internal NIC of the firewall reports a DNS request from the client and responds with the correct IP: gary -> ns2wh.vc.shawcable.net DNS C www.myweb&firewall.com. Internet Addr ? ns2wh.vc.shawcable.net -> gary         DNS R www.myweb&firewall.com. Internet Addr good.xxx.xxx.xxx gary -> hxx-xx-xx-x  ICMP Echo request (ID: 256 Sequence number: 1280) There are no un-answered ARPS or unresolvable DNS. My rules seem a bit open, I do need to restrict them however I'm not exactly bright. >and how your > doing a mapping from www.myweb&firewall.com to http://webserver&firewall. www.myweb&firewall.com and webserver&firewall are the same machine so I dont' know how I would map to it's self.  I thought the /etc/hosts table was enough for that? Thanks so far. Gary. ----- Original Message ----- From: "Valerie Anne Bubb" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: March 1, 2002 10:43 AM Subject: Re: sunscreen web problem > > >From: "Gary Ferrer" <[EMAIL PROTECTED]> > > > >Hi all, > > > >I'm not sure how I got here but here it is:  I'm unable to access the webserver > >(which happens to be on the same machine as the firewall) from a client on the > >internal private net using the canonical name of the webserver.  I can access > >the webserver internally using the local name.  So www.myweb&firewall.com is > >not accessible but http://webserver&firewall is.  When I ping from a client to > >www.myweb&firewall.com I get the following response: > > > > Are you using NAT at all on the network?  Can DNS resolve > "www.myweb&firewall.com" on your internal network?  If yes, > is the IP it resolves to routable on your internal network? > > running snoop on both the client and teh firewall when it's failing - > do you see anything unusual? Unanswered ARPs? Unresolved DNS? > > >pinging www.myweb&firewall.com [real.ip.number] with 32 bytes of data: > >Request timed out. > >Request timed out. > >100 % packet loss. > > > >So it appears that the client is getting back the correct IP of the server from > the DNS but somehow I can't route there or my firewall rules aren't setup > correctly.  Here they are: > > >17 "echo" "*" "*" ALLOW > > > >I haven't been able to find documentation with simple examples of rulesets > anywhere so I'm asking you guys.  Thanks a lot. > > Your rulesets seem fairly open, just be aware that "*" includes > localhost (the firewall itself). > > My initial guess would be that NAT is getting in the way, but I'd > need to know a bit more about your NAT configuration, and how your > doing a mapping from www.myweb&firewall.com to http://webserver&firewall. > > Valerie > -- > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls Gary Ferrer [EMAIL PROTECTED]