Hello, I have 2 network addresses on my external NIC. The external IP as assigned by the ISP and a 192.168 IP I need the 192.168 IP to talk to the ADSL modem. When shorewall is active it default blocks al networktraffic on this nic to 192.168 addresses. When I remove the "norfc1918" as option from the "net" zone in the "interfaces" file I can reach the ADSL modem (I want to use it for SNMP query''s to the modem) Is it safe to do it this way or is there a better approach to reach this ? -- Groeten, Peter -- Access denied--nah nah na nah nah! --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org : 34 days, 23 hours and 54 minutes, 0 users logged in.
Peter Lindeman wrote:> Hello, > > I have 2 network addresses on my external NIC. The external IP as > assigned by the ISP and a 192.168 IP I need the 192.168 IP to talk to > the ADSL modem. When shorewall is active it default blocks al > networktraffic on this nic to 192.168 addresses. When I remove the > "norfc1918" as option from the "net" zone in the "interfaces" file I can > reach the ADSL modem (I want to use it for SNMP query''s to the modem) > > Is it safe to do it this way or is there a better approach to reach this ? >Please see FAQ #14 (http://www.shorewall.net/FAQ.htm#faq14) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:>> Is it safe to do it this way or is there a better approach to reach >> this ? > > Please see FAQ #14 (http://www.shorewall.net/FAQ.htm#faq14)Thanks, I guess I didn''t look good enough. Still got one question. If I only put in the IP of the adsl modem I still can''t reach it. If I put in both the IP of the adsl modem and the FW I can. The strange thing is when I ping the adsl modem I get this : [peter@mandrake peter]$ ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) from 192.168.1.2 : 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=0 ttl=254 time=1.363 msec (BAD CHECKSUM!) 64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=1.356 msec (BAD CHECKSUM!) 64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=1.341 msec (BAD CHECKSUM!) --- 192.168.1.1 ping statistics --- 3 packets transmitted, 0 packets received, +3 corrupted, 100% packet loss [peter@mandrake peter]$ What could cause a bad checksum ? -- Groeten, Peter -- Aan alle studenten: wordt bokser, meer kans op slagen. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org : 35 days, 22 hours and 23 minutes, 0 users logged in.
Peter Lindeman wrote:> Tom Eastep wrote: > >>> Is it safe to do it this way or is there a better approach to reach >>> this ? >> >> >> Please see FAQ #14 (http://www.shorewall.net/FAQ.htm#faq14) > > > Thanks, I guess I didn''t look good enough. Still got one question. If I > only put in the IP of the adsl modem I still can''t reach it. If I put in > both the IP of the adsl modem and the FW I can.Makes sense if you have a RFC1918 address added to your external interface (as opposed to just having a host route defined to your modem). The strange thing is> when I ping the adsl modem I get this : > > [peter@mandrake peter]$ ping 192.168.1.1 > PING 192.168.1.1 (192.168.1.1) from 192.168.1.2 : 56(84) bytes of data. > 64 bytes from 192.168.1.1: icmp_seq=0 ttl=254 time=1.363 msec (BAD > CHECKSUM!) > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=1.356 msec (BAD > CHECKSUM!) > 64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=1.341 msec (BAD > CHECKSUM!) > > --- 192.168.1.1 ping statistics --- > 3 packets transmitted, 0 packets received, +3 corrupted, 100% packet loss > [peter@mandrake peter]$ > > What could cause a bad checksum ? >The checksum calculated by the Linux IP stack doesn''t match the one in the packet. Probably a broken icmp echo implementation in the modem. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:>> Thanks, I guess I didn''t look good enough. Still got one question. If >> I only put in the IP of the adsl modem I still can''t reach it. If I >> put in both the IP of the adsl modem and the FW I can. > > Makes sense if you have a RFC1918 address added to your external > interface (as opposed to just having a host route defined to your modem).So it is also possible when adding an extra IP to the NIC of the FW ? Can I only add a route to the modem ?>> What could cause a bad checksum ? > > The checksum calculated by the Linux IP stack doesn''t match the one in > the packet. Probably a broken icmp echo implementation in the modem.Ok, then I don''t spend to much time to solve it ;-) thanks -- Groeten, Peter -- Cannot read the usage from the media .INI file. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org : 35 days, 22 hours and 43 minutes, 1 user logged in.