Ray,
Sorry for the paraphrase. I do not have access to the machine today.
Yes that is the exact message. That sounds like it could very well be the problem. I will test it tomorrow and let you know the results.
Thank you very much. I did not even think about the private address being handled differently than a valid one.
Jason Massey
| Ray Olszewski <[EMAIL PROTECTED]>
12/19/2001 02:22 PM
|
To: [EMAIL PROTECTED], [EMAIL PROTECTED] cc: Subject: Re: [Leaf-user] Help! Can not ping past outside interface. Dachstein v.1.0.2 |
At 02:24 PM 12/19/01 -0500, [EMAIL PROTECTED] wrote:
[...]
>I need a static Outside IP because it is actually the inside address of my
>DMZ.
>So set it with 192.168.16.2/24
[...]
>I CAN NOT ping past the external card either from the Dachstein box or the
>internal network.
>I CAN NOT telnet on any port past the external card either from the
>Dachstein box or the internal network, so it is not just ICMP.
>The error is NOT a network unreachable error, and I think the IP is
>configured right.
>The response from the failed ping says not permitted.
If the actual message is "sendto: operation not permitted" (quoting error
messages EXACTLY is always better than paraphrasing them), then this is most
likely a firewall problem. Especially since your external address is in the
private-address range, and stock LEAF firewalls block private-range
addresses on the external interface.
Check your firewall ruleset with "ipchains -L -n -v", and see if there is an
input-chain rule that ALLOWs 192.168.16.0/24 BEFORE the one that DENYs (or
REJECTs) 192.168.0.0/16 on the external interface. If there is, then you
have a different problem. If there isn't, then you need to add one ... I'm
not exactly sure what the best way is to do this. (One option is to use the
EchoWall firewall scripts, which handle the external interface differently.)
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
