Re: [Fwbuilder-discussion] Policy for pinging
Brought to you by:
mikehorn
From: <va...@vk...> - 2006-03-25 05:16:16
|
Ted, yes, rule like this should allow ping from inside to the net and to =20 the firewall box, provided you change addresses in the objects used =20 in the template with the real ones. The template provides an example =20 of a simple working policy and will suite your needs if IP addresses =20 used in it match your setup. Template assumes internal network uses =20 address 192.168.1.0/24 and internal address of the firewall is =20 192.168.1.1. If these do not match your confgiuration, you need to =20 make changes in the objects in fwbuilder. You can simply change IP =20 address of the firewall's interface; to change address of the object =20 representing internal network you need to create your own object with =20= correct address and netmask and put it in rules instead of the =20 standard object. Only after all the changes have been made, it makes sense to compile =20 and install policy. IF you try to activate policy script without =20 changing IP addresses, all sorts of strange things will happen. For =20 example, the script will try to assign IP address 192.168.1.1 to the =20 interface of your firewall. It won't add it again if the firewall =20 already has this address. --vk On Mar 23, 2006, at 5:32 PM, ted creedon wrote: > Correct me if I=92m wrong but one must: > > 1. change the default eth1 (inside) address from 192.168.1.1 to =20 > 10.1.1.1 > > 2. do an ifdown eth1 and an ifup eth1 before running the firewall =20 > script. > > > > tedc > > > > From: fwb...@li... =20 > [mailto:fwb...@li...] On Behalf =20= > Of ted creedon > Sent: Thursday, March 23, 2006 5:20 PM > To: fwb...@li... > Subject: [Fwbuilder-discussion] Policy for pinging > > > > 1. Using prebuilt template 1, Shouldn=92t a global policy RULE 0: > > > > SRC:ANY DEST:ANY SERVICE:ICMP ACTION:ACCEPT > > > > Allow pinging from inside to the net as well as the net to the =20 > firewall box? > > > > 2: if there=92s an internal net of 10.1.1.0, can that be substituted =20= > wherever =93net-192.168.1.0=94 appears in the templates? > > > > 3: If 2 is the case, why is eth1 have a second address of 192.168.1.1? > > > > Thanks > > > > tedc > > !DSPAM:44234ca2142951483096628! |