OK, That change seems to have removed the /sbin/ipchains: invalid port/service `10.72.104.96/28' error
I am getting this error now: IP filters: /sbin/ipchains: can only specify ports for icmp, tcp or udp Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more information. and these denys: Packet log: forward DENY eth2 PROTO=6 10.72.104.98:1559 192.168.2.1:80 Packet log: forward DENY eth2 PROTO=6 192.168.65.12:3590 192.168.2.1:80 when I type in the URL to the host in the DMZ. I am guessing I have misconfig in the network.conf that blocks traffic into the DMZ from the eth0_IP_EXTRA_ADDRS? (which I never figured out from the start) Thanks again, Alec -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles Steinkuehler Sent: Friday, August 09, 2002 4:01 PM To: Alec Miller; [EMAIL PROTECTED] Subject: Re: [leaf-user] Dachstein-CD eth3 / DMZ error > I managed to get the 'IP filters: /etc/init.d/network: [B/sbin/ipchains: not > found' error gone by replacing the ipfilter.conf and networks file with new > ones. > > but am still have the invalid port service error.....before I redo a new > network.conf does this bug still exist?? > > Re: [Leaf-user] 4 NIC LRP -Dachstein CD- only one internal IP forwards to > internet > http://www.mail-archive.com/leaf-user@lists.sourceforge.net/msg05123.htm l Yes, I believe this bug still exists (at least it's still in the latest Dachstein release I'm running)...good job finding this on the mailing list...I'd forgotten about that bug, and my development server with the todo & bug lists is still off-line after my big office move at the end of last month :< Anyway, if you want to continue to use a private DMZ (your other option would be Static-NAT or Proxy-ARP), you can play guinea pig and try the following... You'll need to change the DMZ_reverse_masq procedure in /etc/ipfilter.conf...it's got the only reference to INTERN_IF in the whole file, so it's easy to find. Find the following lines which provide reverse-masquerading for port-forwarded DMZ connections when accessed from the internal network: # For internal connections $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $INTERN_NET -i $INTERN_IF Change to the following to support multiple internal networks: # For internal connections for NET in $INTERN_NET; do $IPCH -A forward -j MASQ -p $1 -s $DMZ_NET $DST_PORT \ -d $NET done; unset NET This change should allow multiple internal networks with a private DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html