Also, to state right up front: I haven't changed the dachstein rules at all. In fact I have not been able to find the full
text of the ruleset anywhere yet. lrcfg, under Network > IP Filter/Firewall Rules presents a huge script that seems to automagically generate the ACLs. I haven't messed with it. I seem to remember an email on the list about
an ipchains input file somewhere, but I have not messed with that either.
Thanks for all this trouble; if I thought that it was normal that the internal iface would disallow pings,
I guess I could go on my way trying to get pppoe working over the external iface.
But I am happier understanding how the firewall policies work, if y'all can stand the frustration !!
Ray Olszewski wrote:
Very sorry, Ray... I thought I had mentioned it, but the thread of these emails is getting real long...Comments inline. I added the LEAF list back in.
At 03:49 PM 12/12/01 -0500, Dr. Richard W. Tibbs wrote:
...1. Is the SuSE host running any firewalling of its own? On it, does
"ipchains -L -n" report anything interesting?Keep in mind that without modification the Suse box has successfully
pinged another doorstop box with TomsRootBoot running just to check it
out. Worked through same cables, same hub. That additional doorstop
is now turned off and disconnected from hub; new dachstein box plugged
in and running.
<sigh> I sure wish you had mentioned this earlier. I couldn't keep this "in
mind" before now because you hadn't mentioned it in your earlier trouble
reports (or did you and I missed it?). This information changes my focus a
lot in thinking about the problem ... it makes a lot of my prior questions
irrelevant.</sigh>
Still, the ACLs on the Suse box allow a ping, so it is still usefull to look at them (for me, the unwashed, anyway ;-)
Hope this isn't getting to aggravating.
Awfully sure they are connected right physically. I checked the Hw addrs on the cards before I put them in the Aptiva (= Dachstein doorstop) and noted the positions. A "ip link show" command verifies the hw addrs and associated dev ifaces.
OK. Now, a very basic question ... are you sure you have eth0 and eth1 on
the DachStein router associated with the right NICs? That is, might you have
eth0 (the external, as yet unconfigured interface) connected to the hub
instead of eth1 (the internal interface assigned to 192.168.1.2)?
I also switched nics with the cable on the dachstein box just to make sure. no change in the outcome.
This is w.r.t the hub -- in the earlier network with the "other doorstop" I had a ping running between Suse and
Since you say below (not sure if this is with respect to the NICs, the hub,
or both, but for this purpose it doesn't matter) --They have traffic as well, but I have observed no "flickering" --
indication of traffic activity
Tomsrtbt and the little green lites flicker to indicate traffic. They stay solid green to indicate a good link.
-- this sort of misconiguration is the first thing that comes to mind.
The second possibility is that some more general rule, or one of the default
DENY policies, on the DachStein router (one where proto=ALL) is blocking the
pings. This is improbable, if you stayed close to the default ruleset ...
but your reporting of the "icmp-relevant lines" doesn't cover all the bases.
As you summarize the input chain on the DachStein router, it DENYs
everything (the default policy is DENY, and the only lines you list or
summarize below are DENYs and REJECTs). Actually, so do the forward and
output chains, as you summarize them. But then your reply to question 2
lists a couple of ACCEPT lines (uninterpretable in isolation; we call them
"rulesets" because they only have meaning when viewed as a set).
So ... I don't know if your edited report in question 1 left out some ACCEPT
lines or if the router really is as misconfigured as your summary suggests.
But your logs (probably /var/log/messages) should indicate if the router is
DENYing a lot of traffic, it should be logging those DENYs.
If it is a DachStein-specific misconfiguration, someone who is currently
running DachStein can suggest the likely locations for the error. A response
that is not specific to DachStein still requires an accorate listing of the
full rulesets.Suse box ipchains output has
Chain input (policy ACCEPT)
target prot opt source dest ports
DENY udp ----l- 0.0.0.0/0 0.0.0.0/0 *-> 0:1023
(a couple of other udp and tcp flavors)
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 8-> *
Chain forward (policy ACCEPT)
target prot opt source dest ports
MASQ all ------ 0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy ACCEPT) :
<no entries>
The ipchains -L -n output on the Dachstein box is voluminous but the
icmp-relevant lines are
Chain input (policy DENY)
target prot opt source dest ports
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5-> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 13-> *
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 14-> *
< bunch of DENY all >
DENY all ----l- 192.168.1.0/24 0.0.0.0/0 n/a
DENY all ----l- 192.168.1.254.254 0.0.0.0/0 n/a
REJECT all ----l- 0.0.0.0/0 192.168.1.0/24 n/a
Chain forward (policy DENY)
target prot opt source dest ports
DENY icmp ----l- 0.0.0.0/0 0.0.0.0/0 5-> *
<scads of other DENYs>
Chain output (policy DENY)
target prot opt source dest ports
fairq all ------ 0.0.0.0/0 0.0.0.0/0 n/a
DENY all ----l- 0.0.0.0 0.0.0.0/0 n/a
<lost of DENYs but no icmp>
Chain fairq
<bunch of RETURNs>
So, is possible I need to only deny port 8-> *
to be able to ping ?
But I am not an ipchains maven (yet).2. Do the logs on the DachStein router report any DENY'd or REJECT'd icmp
packets? Does "ipchains -L -n -v" report any rules that would seem to be
blocking the icmp traffic?With -v added, I see pkts and bytes are all 0's except the rules
Chain input
<yadda>
pkts bytes target proto options tosa tosx
ifname mark outsize source
85 9184 ACCEPT all ------- 0xFF 0x00 *
0x1 0.0.0.0/0
Chain output
<yadda>
pkts bytes target proto options tosa tosx
ifname mark outsize source
158 15316 ACCEPT all ------- 0xFF 0x00 *
0x1 0.0.0.0/03. After you attempt and fail to ping the SuSE device, does the DachStein
router's arp table show an entry for the SuSE device? ("more
/proc/net/arp")? Does the SuSE host have an arp entry for the DachSteinrouter?this shows no entries.
I had enabled arp on eth1, by the way via "ip link eth1 arp on".4. This is a real long shot, but ... what is in
/proc/sys/net/ipv4/icmp_echo_ignore_all on the SuSE host? It's probably 0
[=FALSE], as it should be. If it is a 1 [=TRUE], change it to 0 (" echo 0 >
/proc/sys/net/ipv4/icmp_echo_ignore_all", I think) and see if that changes
your results.icmp_echo_ignore_all
contains a
0
on both machines5. Could the hub itself be bad? Do you have a crossover cable (or another
hub) you can use to connect the two hosts directly?The hub worked fine before (between Suse box and earlier doorstop)6. You mentioned "appropriate green led's" lighting up. Do the NICs and hub
ports have only "connect" LEDs, or do they have "traffic" LEDs as well? If
they have both, do they all behave as expected?They have traffic as well, but I have observed no "flickering" --
indication of traffic activity7. Finally ... have you tried any connections other than pings? I don't know
what services the SuSE host is running, so I cannot be more specific here.
8. And plu-finally ... have you tried and failed in the other direction too?
Can the SuSE host ping, or or connect towhatever else is running in the way
of services on, the DachStein router?Yes I tried ping in both directions.....[html deleted]
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.254.254 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0
127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0
192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 113
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 68
0 0 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 67
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
0 0 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 n/a
85 9184 ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
158 15316 fairq all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
158 15316 ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
