On Tue, 27 Aug 2002, Anders Akesson wrote:
> I have serious problems with my firewall/router running Bering rc3.
> I run the 2 interface configuration masqing my internal network on one
> nic to an internet connection on the other nic. Everything seems fine
> from the routers point of view, and everything seems to work from the
> internal network. (I have ran this configuration since april)
>
> Now to my "weird" problem..
>
> I run a web server in my internal network ( I know this isn�t the way to
> do it.. I should be using a DMZ, but if I cant get it to work with 2
> nic�s, then why should it work with three?..) Anyway.. I forward all www
> connections from the firewalls internet nic to the webserver using
>
> DNAT net loc:192.168.1.2 tcp www
>
> Where 192.168.1.2 is my webserver.
>
> Now when connection my firewall from any host on the internet SOMETIMES
> it puts me through to my webserver and everything seems fine. But 99% of
> the time, it seems like the router doesn�t work at all (ie doesn�t
> forward and/or doesn�t respond).
> Mostly it works a while after bootup, but then it stops working.
Have you confirmed that the packets sent by your "internet host" are
reaching your firewall? (Using, for example, the ACTION:info notation on
your rules.) Note that some ISPs filter port 80, though I haven't heard of
intermittent blocking.
> Meanwhile everything seems fine from the internal network.
Meaning, you can connect to the webserver from inside the network? Or
that you have connectivity from loc to net?
> Now I have tried configuring the router to respond to
> ping/tracert/traceroute so that I can check if it responds, but it stops
> responding whenever it likes. The router logs doesn�t record any icmp
> connections when trying to ping it from the internet..
The router stops responding to pings from outside? Yet still communicates
from fw/loc to net?
>
> My PING config:
> #
> # Accept PING connections
> #
> ACCEPT net fw icmp echo-request
> ACCEPT fw net icmp echo-request
> ACCEPT loc fw icmp echo-request
> ACCEPT fw loc icmp echo-request
> #
> # Accept Tracert response connections from firewall
> #
> ACCEPT fw loc icmp echo-reply
> ACCEPT fw net icmp echo-reply
> #
>
> I have had the same problem with Bering rc2 as in rc3. I hardly thing
> shorewall has anything to do with this since it works sometimes.
>
> I have no idea why this is happening? Can it have something to do with
> my hardware? (eg my nic?) I use 8390 and ne2k-pci (for my internet nic a
> KTI ET32 10Mbit PCI card)
Some cards have been known to exhibit behaviors like this, but I don't
think ne2k-pci cards have done it.
> Anyone got an idea about what could be wrong?
I am not getting a clear picture of where packets are known to be present,
and where they are not present. Using a network monitoring tool like
tcpdump during some of this testing could help. Also note that if it is a
kernel problem, the connection tracking timeouts could come into play.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
