Yes, I am using DHCP (Shaw@home network). Yes, good.xxx.xxx.xxx is my
external DHCP address configured on the external interface via DHCP (I
supose I should just print it but I thought that may be a security risk
posting it on the net - stupid me). That hxx.xx.xx.x is actually the
hostname the DHCP server gives to solaris. I have a script to rewrite it to
a proper name 'ferrer.yi.org' so when I do 'hostname' I get ferrer.yi.org.
I'm using a DNS service from yi.org (free!).
>I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall"
>resided on the same interface (via virtual interfaces/NAT) or one was
>your external interface, and the other internal?
Humm, I didn't think of that but webserver&firewall (which I call sunbox
internally) should only answer on the internal interface because it's non
routable and not a valid canonical name.
Ahhhhhhhh.... you're right!!!!!!!!
I changed my 'Internet' defenitin to exclude localhost and it worked!
You're beautifull.
I need to spend more time understanding how the NAT rules work. I've had a
hard time finding documentation that would help me with that. Anyway, Thank
you again.
Cheers,
Gary.
----- Original Message -----
From: "Valerie Anne Bubb" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: March 1, 2002 2:32 PM
Subject: Re: Your Message Sent on Fri, 1 Mar 2002 11:44:07 -0800
>
> >From: "Gary Ferrer" <[EMAIL PROTECTED]>
> >
> >I am using NAT on the screen. Here's the rule:
> >
> >1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet"
> >
> >These are my addresses:
> >
> >"gary" HOST 192.168.0.4 COMMENT "Garys PC"
> >"Internet" GROUP { "*" } { "iprb1.net" }
> >"iprb1.net" RANGE 192.168.0.1 192.168.0.10
> >"publicIP" GROUP { "localhost" } { "sunbox" }
> >"sunbox" HOST 192.168.0.5
>
> Ok, from this I can see that you are sharing your firewall's
> external IP with the entire network. Are you using DHCP?
>
> >DNS can resolve www.myweb&firewall.com from www.myweb&firewall.com but
not
> >from internal clients (requests times out but does come up with the
correct
> >IP). Snoop on the internal NIC of the firewall reports a DNS request
from
> >the client and responds with the correct IP:
> >
> >gary -> ns2wh.vc.shawcable.net DNS C www.myweb&firewall.com. Internet
Addr ?
> >ns2wh.vc.shawcable.net -> gary DNS R www.myweb&firewall.com.
> >Internet Addr good.xxx.xxx.xxx
> >gary -> hxx-xx-xx-x ICMP Echo request (ID: 256 Sequence number: 1280)
>
> So, in this snoop, I assume that good.xxx.xxx.xxx is your public IP
>
> Is good.xxx.xxx.xxx actually the IP configured on your external interface?
> Or are you being virtually hosted by your ISP?
>
> what is "hxx-xx-xx-x"? (are you trying to ping www.myweb&firewall.com ?)
>
> >>and how your
> >> doing a mapping from www.myweb&firewall.com to
http://webserver&firewall.
> >
> >www.myweb&firewall.com and webserver&firewall are the same machine so I
> >dont' know how I would map to it's self. I thought the /etc/hosts table
was
> >enough for that?
>
> I just wasn't sure if "www.myweb&firewall.com" and "webserver&firewall"
> resided on the same interface (via virtual interfaces/NAT) or one was
> your external interface, and the other internal?
>
> Now, my guess as to why this is not working:
>
> Your NAT rule includes the IPaddr for "www.myweb&firewall.com" in
> the Destination (Internet):
>
> 1 DYNAMIC "iprb1.net" "Internet" "publicIP" "Internet"
>
> "Internet" GROUP { "*" } { "iprb1.net" }
> "iprb1.net" RANGE 192.168.0.1 192.168.0.10
>
> So, the firewall is trying to NAT "gary" to www.myweb&firewall.com &
> at the same time trying to connect to www.myweb&firewall.com, and it
> gets lost somewhere in the networking stack.
>
> Try changing your definition of "Internet" to additionally exclude
> your firewall:
>
> "Internet" GROUP { "*" } { "iprb1.net" "localhost" }
>
> > My rules seem a bit open, I do need to restrict them however I'm not
exactly
> > bright.
>
> The easiest, basic, restriction is to just limit the flow of traffic
> so it's only open going out, and only allow http to your webserver in.
>
> So, rules like:
>
> "common" "iprb1.net" "*" ALLOW
> "www" * "publicIP" ALLOW
>
> hth
>
> Valerie
> --
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
