On Oct 3, 2007, at 10:41 AM, Chris Miller wrote:
> Vadim Kurland =E2=9C=8E wrote:
>> On Sep 27, 2007, at 12:54 PM, Chris Miller wrote:
>>> I've got a couple of Linksys WRT routers running Sveasoft
>>> Talisman deployed with 1:1 NAT. The
>>> earlier unit (WRT54GL) runs Talisman 1.2.3 with rules last built =20
>>> FWB 2.1.8 and works like a
>>> charm. The new unit (WRTSL54GS) runs Talisman 1.2.9 with rules built
>>> from FWB 2.1.14.
>>> The new unit uses an identical ruleset to the older one except the
>>> int/ext IP addresses are
>>> different. Both routers connect to a /29 network, where one address
>>> is assigned to the router, and
>>> the remaining four addresses are setup for 1:1 NAT.
>> do you mean both new and old firewalls connect to the same /29 =20
>> or to two different /29 networks?
> No, two different sites. Just saying I've done this before and it =20
>> how does the rule (or rules) that permit dns, ping, traceoroute froom
>> internal servers look like?
> I included the rules from the base WRT template.
> Source: Firewall
> Dest: 192.168.0.0/24
> Service: ICMP ping reply, time exceeded.
this rule permits ping reply and ICMP time exceeded from the firewall =20=
back to servers. BEcause of this rule you should be able to ping the =20
firewall and run traceroute to destinations outside. Specifically, if =20=
you do not permit ICMP "time exceeded" in a stateless rule, the first =20=
hop will look like "* * *" in traceroute.
I see that "Load modules" option is turned off in the "Script =20
options" tab of the firewall object. If this is intentional, you need =20=
to make sure modules ip_conntrack and others that maintain state in =20
iptables are loaded by one of the system startup scripts. If this =20
option is turned on, script generated by fwbuilder takes care of =20
that. This could be the problem actually. You may not need to load =20
modules using this script if they are compiled into the kernel. But =20
if they are not, and you do not load them, then iptables won't be =20
able to maintain state which will lead to problems similar to what =20
Do you get any errors when script is activated ?
Do you see anything in the log ? If state is not supported, you =20
should see records of dropped packets. Without state, firewall does =20
not automatically permit reply packets for your ping or dns queries =20
so you should see them in the log.