Sukhpreet Singh,
You don't show us the routing table for the public
router and I suspect that it's incorrect. This should
have a default route pointing towards the Internet
and 1(one) summary route entry for your internal net
(172.16.0.0 mask 255.255.0.0) pointing towards
your firewall. If the latter does not exist, the router
will not know where to send the reply.
I assume(ack) that you can ping the fw from the
inside, based on your allow any any any and all
the policy properties lit-up.
You mention the words, '...that the internal nets are
hiding behind'. Are you NATting? If so, then verify
that you have the correct ARP entries on the firewall.
For hide NAT, no change needed.
The route entries as shown would be sufficient(again,
I'm making an assumption) for a correct setup.
If your not NATting, then once you fix this problem,
you'll have others since your RFC1918 addressing
will not(should not) travel very far on the Internet.
Finally, I hope that you have disconnected the
connection to your ISP while fixing this. If not, your
machine(site) had been totally vulnerable. Once you
have this setup working, please change your rules
and policy properties, then reconnect to your ISP.
Best of Luck!
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/8/00 6:15:35 PM >>>
>
>I'm having a nightmare of a time getting up and running with Firewall 1 on
>Linux 6.1. I have a triple homed Linux box that I want to use as a gateway
>for our Internal Net as well as the DMZ net. I am including the output of
>the `ifconfig -a` and `netstat -nr` commands. I have an All_Permit policy
>installed and pretty much everything is enabled in the Policy/Properties
>window. I can ping hosts in all the three nets from the firewall but cannot
>ping through the firewall. For example I can ping our router to the internet
>- 204.5.211.254 from the firewall but not from any host in the internal
>invalid nets 172.16.2.0 or 172.16.1.0.
>I figured it was an ip_forwarding issue so I configured Firewall-1 to never
>handle ip_forwarding and enabled ip_forwarding at the os level (set
>/proc/sys/net/ipv4/ip_forward to 1). No luck again.
>I've also considered the fact that the packet may be reaching 204.5.211.254
>but the replies are not reaching the internal hosts. But then 204.5.211.254
>and 204.5.211.253 (external interface on the firewall that the internal nets
>are hiding behind) are on the same net 204.5.211.224 and can see each other
>fine.
>
>Does anyone have any suggestions. I'll greatly appreciate the help.
>
>***Netstat output***
>
>Kernel IP routing table
>Destination Gateway Genmask Flags MSS Window irtt
>Iface
>204.5.211.253 0.0.0.0 255.255.255.255 UH 0 0 0
>eth0
>172.16.2.1 0.0.0.0 255.255.255.255 UH 0 0 0
>eth2
>172.16.1.1 0.0.0.0 255.255.255.255 UH 0 0 0
>eth1
>204.5.211.224 0.0.0.0 255.255.255.224 U 0 0 0
>eth0
>172.16.2.0 0.0.0.0 255.255.255.0 U 0 0 0
>eth2
>172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0
>eth1
>127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
>0.0.0.0 204.5.211.254 0.0.0.0 UG 0 0 0
>eth0
>0.0.0.0 204.5.211.254 0.0.0.0 UG 0 0 0
>eth0
>
>****ifconfig output***
>
>eth0 Link encap:Ethernet HWaddr 00:60:97:17:76:20
> inet addr:204.5.211.253 Bcast:204.5.211.255 Mask:255.255.255.224
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1359 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1074 errors:0 dropped:0 overruns:0 carrier:0
> collisions:40 txqueuelen:100
> Interrupt:11 Base address:0xfcc0
>
>eth1 Link encap:Ethernet HWaddr 00:50:DA:6B:EB:07
> inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:4 errors:0 dropped:0 overruns:0 frame:0
> TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:3 Base address:0xfc00
>
>eth2 Link encap:Ethernet HWaddr 00:10:5A:0D:19:2C
> inet addr:172.16.2.1 Bcast:172.16.2.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:137 errors:0 dropped:0 overruns:0 frame:0
> TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> Interrupt:10 Base address:0xf880
>
>lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:3924 Metric:1
> RX packets:72 errors:0 dropped:0 overruns:0 frame:0
> TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
