From: Tom E. <te...@sh...> - 2003-02-28 20:53:30
|
--On Friday, February 28, 2003 10:08:11 PM +0530 sivamurugu <siv...@in...> wrote: > Hi Tom, > > > I would send the required files soon, because our head > office guys in US have to start accessing the servers in our location > only then I will get the DROP logs. In the meantime I have doubts in my > policy file itself in addition to the rules files. I am attaching those > files herewith. > > Questions > > 1) Our US office people are not able to access the servers in my dmz > zone. I have a rule which permits entire subnet from net[US} zone to > entire subnet in dmz[our location--shorewall]. right or wrong? > > 2) Our US office people are able to make a call to our location's > IP-phone extensions.I have a rule which permits one IP from net zone[US] > to one IP in dmz zone[our IP phone] . That's why? > To conclude this thread, there were three overall problems: a) The usual "stale cache" problem associated with proxy ARP. b) Siva's policy file was mis-ordered so that his "all all REJECT" policy came before two other ACCEPT policies. c) In his rules file, Siva had used an incorrect VLSM (/25 where he needed /24). Siva reports that all is working well now. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ te...@sh... |