>From: "Gary Ferrer" <[EMAIL PROTECTED]>
>
>I am using NAT on the screen. Here's the rule:
>
>1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet"
>
>These are my addresses:
>
>"gary" HOST 192.168.0.4 COMMENT "Garys PC"
>"Internet" GROUP { "*" } { "iprb1.net" }
>"iprb1.net" RANGE 192.168.0.1 192.168.0.10
>"publicIP" GROUP { "localhost" } { "sunbox" }
>"sunbox" HOST 192.168.0.5
Ok, from this I can see that you are sharing your firewall's
external IP with the entire network. Are you using DHCP?
>DNS can resolve www.myweb&firewall.com from www.myweb&firewall.com but not
>from internal clients (requests times out but does come up with the correct
>IP). Snoop on the internal NIC of the firewall reports a DNS request from
>the client and responds with the correct IP:
>
>gary -> ns2wh.vc.shawcable.net DNS C www.myweb&firewall.com. Internet Addr ?
>ns2wh.vc.shawcable.net -> gary DNS R www.myweb&firewall.com.
>Internet Addr good.xxx.xxx.xxx
>gary -> hxx-xx-xx-x ICMP Echo request (ID: 256 Sequence number: 1280)
So, in this snoop, I assume that good.xxx.xxx.xxx is your public IP
Is good.xxx.xxx.xxx actually the IP configured on your external interface?
Or are you being virtually hosted by your ISP?
what is "hxx-xx-xx-x"? (are you trying to ping www.myweb&firewall.com ?)
>>and how your
>> doing a mapping from www.myweb&firewall.com to http://webserver&firewall.;
>
>www.myweb&firewall.com and webserver&firewall are the same machine so I
>dont' know how I would map to it's self. I thought the /etc/hosts table was
>enough for that?
I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall"
resided on the same interface (via virtual interfaces/NAT) or one was
your external interface, and the other internal?
Now, my guess as to why this is not working:
Your NAT rule includes the IPaddr for "www.myweb&firewall.com" in
the Destination (Internet):
1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet"
"Internet" GROUP { "*" } { "iprb1.net" }
"iprb1.net" RANGE 192.168.0.1 192.168.0.10
So, the firewall is trying to NAT "gary" to www.myweb&firewall.com &
at the same time trying to connect to www.myweb&firewall.com, and it
gets lost somewhere in the networking stack.
Try changing your definition of "Internet" to additionally exclude
your firewall:
"Internet" GROUP { "*" } { "iprb1.net" "localhost" }
> My rules seem a bit open, I do need to restrict them however I'm not exactly
> bright.
The easiest, basic, restriction is to just limit the flow of traffic
so it's only open going out, and only allow http to your webserver in.
So, rules like:
"common" "iprb1.net" "*" ALLOW
"www" * "publicIP" ALLOW
hth
Valerie
--
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
