> If you want to take the time to help me out that would be great, but if not > that's cool. > thanks for any help, > -Alex Fore > > > We have two internal DNS servers one internal smtp server, many internal > webservers.
<ipchains commands snipped> Assumptions: eth0 = internal network = good eth1 = DMZ = dmz eth2 = internet = bad Well, assuming: - The above interface list is correct - The shell variables are set correctly - Your interfaces and routes are configured correctly on the firewall and all server systems - and a bunch of other stuff... (hint...it's important to provide as much detail as possible when asking for remote help with tricky problems) I don't notice anything immediately obvious that would be blocking outbound e-mail and/or dns, so I'll just provide a few general ipchains tricks I've found useful in debugging firewall problems... IPChains debugging hints: "ipsec -Lvn --line-numbers" is your friend. Pay special attention to the packet counts next to the rules...especially when debugging those "why doesn't this protocol work" sort of problems. NOTE: Flushing all packet counts and running a test (like trying to send an e-mail) can make this technique much more powerful, since you can more easily see which rules are maching the packets of interest. Use logging! Adding an "ipchains -I <rule> -l" switch to log all traffic hitting a rule can be very helpful. While this will fill up your logs quickly under real loads, it can be invaluable to see packets hitting each rule, and watching the packet counts increase. You can also verify things like a particular packet hit the forward chain, but never made it to the output chain... Use deny logging...a slight twist on the above, if all your deny rules log the packets, you'll see in the logs if you're traffic isn't making it out of the box. Combined the rule name and rule number in the log and the --line-numbers and -v switchs to ipchains, and you can generally deduce where things went wrong by crawling through the ipchains verbose output. Good luck! Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
