Thread: [Fwbuilder-discussion] problems with 1.0.10
Brought to you by:
mikehorn
From: Trey N. <tn...@in...> - 2003-07-29 23:37:26
|
Forgive me if this has been talked about on the list recently. The = archives seem to be down. We have been using fwbuilder for quite a = while and recently upgraded from 1.0.9 to 1.0.10. I'm running 1.0.10 on = several machines with small rulesets (usually in a NAT environment) = without problems. However, we have a bridging firewall with a fairly = large ruleset (about 20 rules with several groups of many hosts) that = has caused us a problem. We upgraded to 1.0.10, made some changes, and = recompiled. After that, the firewall kept working to protect hosts, but = you could no longer ssh to the firewall box itself. I went to the = console and nothing (no packets of any kind) could get out of the box. = I went over the rules, and I explicitly have a rule that allows ANY to = go out of the firewall machine. I recompiled with 1.0.9 on another box, = and this was fixed. I have not been able to isolate the problem because = even when I turn logging on all rules, nothing is logged when packets = try to leave the box. I don't want to post my ruleset for obvious = reasons, but if there is someone here that thinks they could figure out = what is going on, I could arrange to send them to you privately. I = really think it must be an issue with the new compiler. I looked for a = changelog to see if there was some change between versions 1.0.9 and = 1.0.10 that would cause this, but I didn't see one. Thanks in advance. Trey Nolen |
From: Vadim K. /r/ <va...@vk...> - 2003-07-29 23:46:42
|
On Tuesday, July 29, 2003, at 04:37 PM, Trey Nolen wrote: > Forgive me if this has been talked about on the list recently.=A0 The=20= > archives seem to be down.=A0=A0 We have been using fwbuilder for quite = a=20 > while and recently upgraded from 1.0.9 to 1.0.10.=A0 I'm running = 1.0.10=20 > on several machines with small rulesets (usually in a NAT environment)=20= > without problems. However, we have=A0a bridging firewall with a fairly=20= > large ruleset (about 20 rules with several groups of many hosts) that=20= > has caused us a problem. We upgraded to 1.0.10, made some changes, and=20= > recompiled.=A0 After that, the firewall kept working to protect hosts,=20= > but you could no longer ssh to the firewall box itself. I went to the=20= > console and nothing (no packets of any kind)=A0could get out of the=20 > box.=A0 I went over the rules, and I explicitly have a rule that = allows=20 > ANY to go out of the firewall machine.=A0 I recompiled with 1.0.9 on=20= > another box, and this was fixed.=A0 I have not been able to isolate = the=20 > problem because even when I turn logging on all rules, nothing is=20 > logged when packets try to leave the box.=A0 I don't want to post my=20= > ruleset for obvious reasons, but if there is someone here that thinks=20= > they could figure out what is going on, I could arrange to send them=20= > to you privately.=A0 I really think it must be an issue with the new=20= > compiler. I looked for a changelog to see if there was some change=20 > between versions 1.0.9 and=A0 1.0.10 that would cause this, =A0but I=20= > didn't see one. Thanks in advance. > =A0 > Trey Nolen > =A0 > from your report it is not quite clear whether you want to be able to=20 ssh TO the firewall, or FROM it. Which one ? The rule that allows any to go out of the firewall won't permit ssh TO=20= it. Do you have a rule to permit service 'ssh' to the firewall ? --vk |