Re: [Fwbuilder-discussion] FW: Rule not hitting - weird
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] FW: Rule not hitting - weird
|
From: <va...@vk...> - 2007-03-12 04:53:05
|
perhaps servers on your new network use new firewall as default gateway. If this is the case, then the old firewall only sees packets going in one direction, _to_ the server, but does not see replies. If it does not see complete tcp three-way handshake, it won't create state entry for it and therefore will not permit packets. The rule #9 generates iptables code that matches packets in state NEW, that is, never before seen by the firewall. It is expected that such packets will create state in the state module and all other packets will match state ESTABLISHED which is permitted by an automatic rule added on top of the policy. So, if you can not make the old firewall see packets going in both directions, try to make rule #9 stateless (there is a checkbox in the rule options dialog for that). --vk On Mar 11, 2007, at 11:23 AM, Clemente Aguiar wrote: > > We are changing ISPs this month and for a while we will be running > parallel networks (different address ranges) with two firewalls > (one for > each network). > > The thing is that my "old" firewall will not let some specific traffic > through to my "new-network", for example http traffic. See the > following > log entry: > > Mar 11 17:51:14 fw1 FW-RULE 25 -- DENY IN=eth1 OUT=eth5 > SRC=62.48.194.173 DST=49.109.64.51 LEN=40 TOS=0x00 PREC=0x00 TTL=127 > ID=700 DF PROTO=TCP SPT=1085 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 > > The "old" firewall has the following rules. > ------------- > RULE 9: old-network new-network ANY ALL BOTH ACCEPT ANY (Let all > access > to new network) > ... > RULE 25: ANY ANY ANY ALL BOTH DENY ANY (DROP ALL) > ------------- > > The old-network is 62.48.194.128/26 and the IP in the log entry > above is > in the range of new-network, so why doesn't rule 9 trigger? > > This erratic behaviour is just for the address range of new-network. I > must say that I don't know what to do for the "old" firewall to behave > properly. > > The firewalls are both Linux kernel 2.6, and both are being set up > with > FWBuilder 2.1.10. > > Just for the record, at one time I did have an interface of the > old-firewall configured to access the new-network as well as FW rules > configured, but all that was removed. > > Hope you can help me. At least give me some pointers. > > Clemente > > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |