[Shorewall-users] Is working only inside eth1...
teastep at shorewall.net
Sat Apr 3 07:26:48 PST 2004
Tom Eastep wrote:
> And if you falsified your IP addresses in your first report then please
> don't do it again. I based my first response on the addresses that your
> reported and I don't have the time or the patience to play games with
> people who believe that keeping their IP address structure a secret
> somehow keeps them safer.
Hmmmmm --- The more that I look at your rules, the less that I understand:
ACCEPT fw:184.108.40.206 net tcp 53
Fine -- you say that 220.127.116.11 is your eth1 IP address
ACCEPT net loc:18.104.22.168 icmp 8
Huh?? Now all of a sudden, 22.214.171.124 is the IP address of a system in
the 'loc' zone!!!!
ACCEPT all loc:126.96.36.199 tcp 80
So 188.8.131.52 must be the IP address of a web server in the local zone.
And finally we have:
ACCEPT all loc:184.108.40.206 tcp 110
So you appear to have a 146.164.155.* also in your local zone.
The point here that none of these IP addresses are reserved by RFC 1918.
In fact, 220.127.116.11 is cm-net-cwb-C8B0369B.brdterra.com.br and the
146.xxxx address also appears legitimate.
18.104.22.168 however smells like a fake.
The reason that I suggested removing the masq entry is because these
perfectly valid public IP addresses should be internet accessible so
traffic from them shouldn't have to be masqueraded to the bogus
200.200.xxx address. Since removing the the masq entry produces the
result it did, I can only conclude that hosts on the eth0 side of your
router don't know how to route traffic to hosts on the eth1 side. That
has nothing to do with the configuration of your firewall/router
(although as I point out above, there are some configuration problems in
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users