Re: [Fwbuilder-discussion] Newbie questions
Brought to you by:
mikehorn
From: John G. <Jo...@ga...> - 2007-02-26 04:53:32
|
-----Original Message----- >From: Vadim Kurland ? [mailto:va...@vk...] >Sent: Sunday, February 25, 2007 7:35 PM >To: John Gallagher >looks like you need to add a rule to permit everything on loopback interface >it also appears that you have logging turned on in all rules in your policy, you do not need to do that unless you want to see log records for all >packets crossing the firewall. >Did you add service object "ESTABLISHED" in some of your rules ? You do not need to do that since a rule matching ESTABLISHED,RELATED packets is added >for you on top of the policy automatically. >Rule that matches all multicast packets (224.0.0.0/8) should probably be stateless, you can do this using checkbox in the rule options dialog. To get to >it, right mouse click in the "options" rule element. >--vk I made some progress, I changed the rule for eth1 (inside) to be stateless and it allowed the connection to complete? The rule looks like this: #any any any inside both accept any options (Assume that the firewall is part of any and Stateless) Is it possible that the state table was built on the external eth0 and because the reply and nat is handled by ipvsadm that the state is confused? How do I turn off the logging? Is it the blank box in the drop down? I do not see the option to turn this off in either the rule options or the firewall logging page. I did NOT add the ESTABLISHED object in any rule The VRRP seems to work with the current config with out the stateless option checked. I have no loopback defined in any rule. BTW, this is version 2.1.9 Here is the current configuration that seems to be working: cat iptables # Generated by iptables-save v1.2.11 on Sun Feb 25 20:33:17 2007 *nat :PREROUTING ACCEPT [166:38412] :POSTROUTING ACCEPT [17:1177] :OUTPUT ACCEPT [5:309] -A PREROUTING -d 66.93.68.17 -p tcp -m tcp --dport 22 -j DNAT --to-destination 10.200.200.240 -A POSTROUTING -s 10.200.200.0/255.255.255.0 -o eth+ -j SNAT --to-source 66.93.68.13 COMMIT # Completed on Sun Feb 25 20:33:17 2007 # Generated by iptables-save v1.2.11 on Sun Feb 25 20:33:17 2007 *filter :INPUT DROP [1:40] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :In_RULE_4 - [0:0] :Out_RULE_4 - [0:0] :RULE_0 - [0:0] :RULE_1 - [0:0] :RULE_2 - [0:0] :RULE_3 - [0:0] :RULE_5 - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -s 10.200.200.240 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -A INPUT -s 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_0 -A INPUT -d 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_1 -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j RULE_2 -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_3 -A INPUT -i eth1 -j In_RULE_4 -A INPUT -j RULE_5 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j RULE_2 -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_3 -A FORWARD -i eth1 -j In_RULE_4 -A FORWARD -o eth1 -j Out_RULE_4 -A FORWARD -j RULE_5 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 10.200.200.240 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_0 -A OUTPUT -d 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_1 -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j RULE_2 -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_3 -A OUTPUT -o eth1 -j Out_RULE_4 -A OUTPUT -j RULE_5 -A In_RULE_4 -m limit --limit 2/sec -j LOG --log-prefix "RULE 4 -- ACCEPT " -A In_RULE_4 -j ACCEPT -A Out_RULE_4 -m limit --limit 2/sec -j LOG --log-prefix "RULE 4 -- ACCEPT " -A Out_RULE_4 -j ACCEPT -A RULE_0 -m limit --limit 2/sec -j LOG --log-prefix "RULE 0 -- ACCEPT " -A RULE_0 -j ACCEPT -A RULE_1 -m limit --limit 2/sec -j LOG --log-prefix "RULE 1 -- ACCEPT " -A RULE_1 -j ACCEPT -A RULE_2 -m limit --limit 2/sec -j LOG --log-prefix "RULE 2 -- ACCEPT " -A RULE_2 -j ACCEPT -A RULE_3 -m limit --limit 2/sec -j LOG --log-prefix "RULE 3 -- ACCEPT " -A RULE_3 -j ACCEPT -A RULE_5 -m limit --limit 2/sec -j LOG --log-prefix "RULE 5 -- DENY " -A RULE_5 -j DROP COMMIT # Completed on Sun Feb 25 20:33:17 2007 [root@lb1 sysconfig]# |