The usefulness of this test, as described, is a bit overstated. See below for details.
At 09:15 AM 1/6/02 -0800, Peter Jay Salzman wrote: [...] >2. the electric cool-aid acid test: go onto your firewall. do: > > a. ipcchains -F > b. ipmasqadm portfw -f > > ok, now you have a tabula rasa. Not quite true. Depending on which firewall you use, the various chains may have default DENY policies. Clearing the specific rulesets doesn't also set the defaults to ACCEPT. (I once cut myself off from a colo'd set of servers this way. Very bad!) In addition, it is not clear to me if this LAN uses NAT or not. The original poster says he is using a public IP address for his LAN > > > My settings are as follows - eth0 - 196.33.41.70/28 (external ip) - > > eth1 - > > > 192.6.31.252/24 (internal ip) but this is not a resolvable address (I can't ping it or look it up using "host"), so I wonder if he is really NAT'ing and just using an incorrect LAN range. If so, that raises a second problem with the suggestion. The proposed change in (a) turns off NAT'ing of outgoing connections (because it clears the forward chain without also adding a rule to MASQ the LAN). Some of the port-forwarded services being tested below may now fail because (for example) they cannot do reverse-lookups on connection attempts, because they cannot connect to off-LAN DNS servers. > c. add a default gateway (route add default gw blah) Why? If there is a problem with the routing table, it may be bigger than the lack of a default gateway. If the accuracy of the routing table is in question, he should check the whole thing -- use "netstat -nr", or the equivalent "ip" command, to verify that there are routes to the LAN, the external network, and a default gateway. And I believe DachStein doesn't provide the "route" commend; he needs to use the appropriate variants of the "ip" command. > d. use ipmasqadm to forward your ports > >if you can't pass this test (and are confident in your knowledge of >ipchains, ipmasqadm, route and ifconfig) then something is *seriously* >wrong. Final thought: if he is NOT using NAT, then this entire discussion is going down the wrong road. Given the use of a public address range internally, the original poster should clarify this bit. -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ---------------------------------------------------------------- _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
