Charles,
We are definitely making progress, but a few kinks remain.
Subject: Re: [Leaf-user] Routing in Prozy ARP DMZ
RE: Ping failures
>You've got me on this one...I don't know why pings are not working. There
are no denies of ICMP packets in your firewall rules listed above. Is the
machine you're trying to ping setup to send back reply packets? Is it
possible you've got ICMP messages blocked on the server you're trying to
ping? I don't see anything in your LRP setup that would keep pings from
working...
Yeah, I've gotcha alright ;) You have proven your troubleshooting
methodology is sound. I had Norton Internet Security running on that
box --- and after a recent re-install, it apparently dumped my allow
ICMP settings. It was responsible for blocking the ping replies. Beat
me with the duh stick --- sorry for the extra trouble...
>> I have added temporary entries to my network.conf to place .172 fully
outside.
>> Everything seems to be working fine at the moment.
>I think I know why the game-server is breaking inside the firewall. Matthew
masquerades outbound UDP packets by default, which is somewhat more secure
than allowing direct UDP connections between the DMZ and the outside world,
but tends to break any inbound UDP services (note there are exceptions to
the UDP masquerading for BIND, typically the only public UDP based service
run on a DMZ).
I think you are on it here --- this is consistent with the random port
above 64000 that my testers were seeing. However....see below:
>To fix this for your game server, you'll need to edit
/etc/ipfilter.conf as follows:
>Find the following code section in /etc/ipfilter.conf (very near the end,
near the comment # COnnect DMZ to internet:
$IPCH -A forward -j ACCEPT -p icmp -s 0/0 -d $DMZ_NET -i $DMZ_IF
$IPCH -A forward -j ACCEPT -p tcp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p icmp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET domain \
-d 0/0 -i $EXTERN_IF
$IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
Chage the last line from:
$IPCH -A forward -j MASQ -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
to:
$IPCH -A forward -j ACCEPT -p udp -s $DMZ_NET -d 0/0 -i $EXTERN_IF
^ Did this --- and re-read it for typos, etc.
>This will provide normal (un-masqueraded) UDP connections between the DMZ
and the outside internet. As long as you only allow specific UDP ports
inbound using the DMZ_OPEN_DEST variable, you should be secure (other than
any potential security bugs in the services you're specifically allowing).
This didn't seem to work. While the line above was in place, tcp and icmp
worked fine (ping and http in and out). But, UDP services stopped working
altogether (time, game server). The game server looks for its auth
server at startup, and barfs when it doesn't find it. When I changed it
back to the original setting, the game servers started without a hiccup,
but are back to the original problem of broken inbound UDP for the
remote console function.
I believe my DMZ_OPEN_DEST settings are working --- I commented them
out to verify they work individually.
I also tried the tips in Rick O's MiniHOWTo on ensuring all arps on all
are devices are up to date --- including just letting it all "sit" for
an hour.
What do you recommend I re-check?
Thanks again,
Dan
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
