>From an internal machine I can ping the internal and external interface on the >firewall, but nothing beyond that.
I noticed that my syslog is filling up with tons of these: Nov 18 12:14:33 mail kernel: Packet log: \ output DENY eth0 PROTO=1 10.10.5.2:8 \ 216.231.41.22:0 L=60 S=0x00 I=35342 F=0x0000 T=127 (#6) You can check out a shortened copy of my network.conf here: (http://www.troutpocket.org/dachstein.txt). I'm not using DHCP or DHCLIENT. I am using a private IP on the external interface because I'm setting it up behind another router just for testing purposes. Let me know what other info would be helpfull. -Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matt Schalit Sent: Sunday, November 18, 2001 10:29 AM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] DachsteinCD, need help getting started Scott Ecker wrote: > > I have been having loads of trouble getting up and running consistently with > the dachstein CD. I have been practicing making configurations on one > machine in order to hone my knowledge of setting up different types of > firewalls. However, sometimes I just can't get ip masquerading to work in > the simplest configuration. I must be missing some tiny switch sometimes > when I set up the box. Basically I want to allow all machines behind the > firewall to be able to browse,email,ssh,etc. My hosts.allow is wide open > "ALL: 192.168.212.0/255.255.255.0", and my hosts.deny has only "ALL: > PARANOID" and "ALL:ALL". host.allow and host.deny are only used to filter traffic destined for a service on the LEAF box. Basically none of your internal LAN traffic is destined for the LEAF box, rather it goes to the internet (except maybe ssh). So your host.allow and host.deny are not stopping traffic from being masq'd, making it out to the net, not making it back in through the firewall. > I can ping internally and externally from the > firewall, just can't masq anything. Can you ping from an internal computer to the two LEAF cards? To the LEAF's default gateway? You'd help us debug your problems by posting the details described in the LEAF "How do I request help" document: http://sourceforge.net/docman/display_doc.php?docid=1891&group_id=13751 > Also, I've noticed that the weblet page showing installed modules shows > ip_masq_portfw and ip_masq_autofw and unused. These have no affect whatsoever on your ability to: Have a valid IP address on the propoer network on your internal lan computer Have a valid netmask on your internal lan computer Have a valid dns on your internal lan computer Have a valid default gateway on your internal lan computer Have all the same on the LEAF, twice. Have all computers on the same network. Fill out the network.conf right (that's not easy, you're not being scolded). I think Charles usually have *very* good documentation, especially for the recent releases. > Are these modules necessary > only if I forward ports to a private ip, or are they necessary for > masquerading? Or does (unused) mean something else? They are used when you have *incoming* traffic from the internet into you LAN to a service like a web server you run. They forward a single port (like web port 80) on the LEAF into your LAN computer's port 80, in the case of portfw. In the case of autofw, that forwards a range of ports like 65300-65500 from the LEAF to the LAN computers same port range (like what you do when you run an ftp server). [snip] Usually, almost all of Dachstein is setup in the network.conf. If you didn't distill that into the variables and post it, then there was no significant chance of helping you correctly. Good Luck, Matthew > -Scott _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user