/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */ I think I may have found an problem between NetWare 5 and ipchains/masq. My setup looks like this (excuse the ASCII art) ------------------- | | | Internal net |--ipchains/router---dmz--router---internet |10.60.53.0/24 | --------|---------- | router | private net 10.0.0.0/8 The ipchains box is doing routing and masquerading routing table is as such 209.232.177.2 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo 10.60.53.4 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 209.232.177.0 0.0.0.0 255.255.255.128 U 0 0 0 eth1 10.60.53.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.0.0.0 10.60.53.1 255.0.0.0 UG 0 0 0 eth0 0.0.0.0 209.xxx.xxx.x 0.0.0.0 UG 0 0 0 eth1 Ill spare you the entire ipchains ruleset. But here is the crux of the problem I have the rule /sbin/ipchains -A forward -s $INT_NET -d $ALL_IP -j MASQ Which I had to change because it was munging up the flags on internal network traffic across the router i.e. the syn bit was not being set on the _FIRST_ outgoing request from either a web browser or SAP client(only clients tested), a RST would be received from the destination machine, cause the browser or sap client to give an error message. The if the user would try again it would work fine untill there ip expired from the arp cache on the ipchains box. This appeared to happen after the packet had gone through the ipmasq box. So I changed the rule to /sbin/ipchains -A forward -s $INT_NET -d ! 10.0.0.0/8 -j MASQ which solved the first problem, but induced a worse one. this caused a slew of freaky DNS problems and, more simply as soon as I set the ! 10/8 rule, the netware 5 server could no longer ping the private network across the router, which would explain the DNS problems because the netware server is functioning as the internal name server. Changing MASQ rule to the !10/8 did not effect any other machine on the network, IP functioned fine from all machines except the NetWare 5 server the kernel version on the firewall is 2.2.10, ipchains version is 1.3.8 I hope this was not too verbose for you, and id appreciate any insight into the problem, in the time being, ill suspect a bug in the NetWare IP stack. Thanks Sam James _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
