Hey All, Tonight I replaced a nic in my server, eth0 was renamed to eth2. Basically, the only parts of my shorewall configs that I changed were the masq: #INTERFACE SUBNET ADDRESS eth1 eth2 and the interfaces file: #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect masq eth2 detect My External Nic has an IP of 208.xxx.xxx.xxx My Internal Nic has an IP of 192.168.0.254 Unfortunately I am administering this remotely. I was told that a workstation would be left on so I could ping it for testing. The IP of the workstation is: 192.168.0.38. I also know that a printer is on. The printer has an IP address of 192.168.0.244>From the server I can ping out, ping localhost, and ping both nic IP addresses.When I attempt to ping the "on" workstation I get this: [root@server shorewall]# ping 192.168.0.38 PING 192.168.0.38 (192.168.0.38) from 208.xxx.xxx.xxx: 56(84) bytes of data.>From 205.171.xxx.xxxicmp_seq=3 Packet filteredThe 205.171.xxx.xxx IP address appears to be an outside router that is not letting me route private traffic to the internet, which I know I''m not supposed to do anyway. When I ping the printer: [root@missourirain shorewall]# ping 192.168.0.244 PING 192.168.0.244 (192.168.0.244) from 192.168.0.254 : 56(84) bytes of data. 64 bytes from 192.168.0.244: icmp_seq=1 ttl=128 time=0.940 ms I get a response, and the ping originates from the Internal nic. So why am I seeing a difference here? Is the .38 box most likely turned off and when pings cannot go through internally, they try to route externally and then are denied? Thanks for any advise that anyone can give. I''ll know more in the AM when I can have the user confirm wether or not a machine is turned on and able to access the internet. Bob
On 4 Sep 2003 at 21:33, Bob Avery-Babel wrote:> When I attempt to ping the "on" workstation I get this: > > [root@server shorewall]# ping 192.168.0.38 > PING 192.168.0.38 (192.168.0.38) from 208.xxx.xxx.xxx: 56(84) bytesof> data. >From 205.171.xxx.xxxicmp_seq=3 Packet filtered > > The 205.171.xxx.xxx IP address appears to be an outside router thatis> not letting me route private traffic to the internet, which I knowI''m> not supposed to do anyway.You didn''t even do these commands from the same machine so its hard to know whats goeing on. The above ping was done from a machine called server. Where is Server? Is that where you administer from or the site that has the workstation you are trying to ping. (As you mentioned, you will never be able to ping stations behind the firewall with the default setup).> When I ping the printer: > > [root@missourirain shorewall]# ping 192.168.0.244 > PING 192.168.0.244 (192.168.0.244) from 192.168.0.254 : 56(84)bytes> of data. 64 bytes from 192.168.0.244: icmp_seq=1 ttl=128 time=0.940ms> > I get a response, and the ping originates from the Internal nic.Again, this is done from Missourirain, not the same machine as the first test. Here it would appear you were executing the ping command from the firewall machine, and of course, it knows the route to one of the stations on its local lan. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/
Sorry, I should have clarified. I was trying to obscure the name of my server. It was too late last night. I was executing both pings from the same firewall box. I think I solved my problem though. The printer had a static IP address. The workstation was supposed to have a dhcp assigned IP address _but_ dhcp was blocked by the firewall. So I could only ping the static one. I just could not ping the IP address that was not even assigned (even though I thought it was). I''m still curious as to why the ping was re-directed outward to a public router (and then being dropped). Thanks for replying to my tired post! Bob ---------- Original Message ---------------------------------- From: "John S. Andersen" <jsa@norcomix.dyndns.org> Reply-To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> Date: Fri, 05 Sep 2003 11:06:14 -0800>On 4 Sep 2003 at 21:33, Bob Avery-Babel wrote: > >> When I attempt to ping the "on" workstation I get this: >> >> [root@server shorewall]# ping 192.168.0.38 >> PING 192.168.0.38 (192.168.0.38) from 208.xxx.xxx.xxx: 56(84) bytes >of >> data. >From 205.171.xxx.xxxicmp_seq=3 Packet filtered >> >> The 205.171.xxx.xxx IP address appears to be an outside router that >is >> not letting me route private traffic to the internet, which I know >I''m >> not supposed to do anyway. > > >You didn''t even do these commands from the same machine >so its hard to know whats goeing on. >The above ping was done from a machine called server. >Where is Server? Is that where you administer from >or the site that has the workstation you are trying to ping. > >(As you mentioned, you will never be able to ping stations >behind the firewall with the default setup). > > > >> When I ping the printer: >> >> [root@missourirain shorewall]# ping 192.168.0.244 >> PING 192.168.0.244 (192.168.0.244) from 192.168.0.254 : 56(84) >bytes >> of data. 64 bytes from 192.168.0.244: icmp_seq=1 ttl=128 time=0.940 >ms >> >> I get a response, and the ping originates from the Internal nic. > >Again, this is done from Missourirain, not the same machine as the >first test. > >Here it would appear you were executing the ping command from >the firewall machine, and of course, it knows the route to one >of the stations on its local lan. > > >-- >______________________________________ >John Andersen >NORCOM / Juneau, Alaska >http://www.screenio.com/ >(907) 790-3386 > >._______________________________________ >John S. Andersen >NORCOM mailto:JAndersen@norcomsoftware.com >Juneau, Alaska >http://www.screenio.com/ > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
On 5 Sep 2003 at 12:18, Bob Avery-Babel wrote:> Sorry, I should have clarified. I was trying to obscure the name of my > server. It was too late last night. I was executing both pings from > the same firewall box.WHY? Paranoid enough obscuring public IPs but obscruing host names seems over the top.> I think I solved my problem though. The printer had a static IP > address. > > The workstation was supposed to have a dhcp assigned IP address_but_> dhcp was blocked by the firewall. So I could only ping the staticone. How did the workstation obtain an IP if dhcp was blocked? Note that once it HAS an ip, you can talk to it without any further need of dhcp traffic. From then on it uses arp to find the nic''s mac address.> > I just could not ping the IP address that was not even assigned(even> though I thought it was). I''m still curious as to why the ping was > re-directed outward to a public router (and then being dropped).This would imply the routeing was more than a little confused at that time. Perhaps it really did see such an IP on your external interface. You should specify norfc1918 on the external interface, and dhcp on both interfaces in your shorewall/interfaces file, and you might want to add "detect" in the broadcast column. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 ._______________________________________ John S. Andersen NORCOM mailto:JAndersen@norcomsoftware.com Juneau, Alaska http://www.screenio.com/