Re: [Fwbuilder-discussion] can not get trough firewall even though last rule is any any any permit is last rule

[Vadim K. /r/ <va...@vk...>]

On Tuesday, October 28, 2003, at 11:42  AM, Jim wrote:

> I checked and packet forwarding is enabled.  My last rule is any any 
> any
> accept, so nothing should be denied correct?
>

correct, provided iptables uses connection tracking module.


> Below is the output I recieve when I execute the script, I do not think
> this would stop the script from working or is this the root of the
> problem?  What else should I check to see why I can not get from a
> workstation on the internal side to the external side.
>
>
> Nothing to flush.
> ./health.fw: cd: /lib/modules/2.4.22/kernel/net/ipv4/netfilter/: No 
> such
> file or directory
> ls: *_conntrack_*: No such file or directory
>

yes, this might be a problem. Did you recompile your kernel yourself ? 
The netfilter code needs to be either compiled as modules, or built in 
the kernel. Since directory 
"/lib/modules/2.4.22/kernel/net/ipv4/netfilter/" does not exist, it is 
obviously not compiled as a module.

--vk


>
> Also below is the output from ifconfig: not sure what eth1:FWB1 means?
>
> ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:50:DA:5B:86:4F
>           inet addr:10.10.1.110  Bcast:10.10.255.255  Mask:255.255.0.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:30647 errors:0 dropped:0 overruns:1 frame:0
>           TX packets:5432 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:2798972 (2.6 MiB)  TX bytes:1595198 (1.5 MiB)
>           Interrupt:11 Base address:0x1400
>
> eth1      Link encap:Ethernet  HWaddr 00:04:5A:7D:BB:43
>           inet addr:161.223.4.161  Bcast:161.223.4.255
> Mask:255.255.255.128
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:11940 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:548 dropped:0 overruns:0 carrier:1096
>           collisions:0 txqueuelen:100
>           RX bytes:2363159 (2.2 MiB)  TX bytes:0 (0.0 b)
>           Interrupt:11 Base address:0x1000
>
> eth1:FWB1 Link encap:Ethernet  HWaddr 00:04:5A:7D:BB:43
>           inet addr:161.223.4.183  Bcast:161.223.4.255
> Mask:255.255.255.128
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           Interrupt:11 Base address:0x1000
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:8 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:560 (560.0 b)  TX bytes:560 (560.0 b)
>
>
>
> Jim
>
>
>
> On Tue, 2003-10-28 at 12:21, Vadim Kurland /r/ wrote:
>> On Tuesday, October 28, 2003, at 10:23  AM, Jim wrote:
>>
>>> I have created a firewall script with fwbuilder and I have some 
>>> clients
>>> on my internal network that need to telnet and have http acccess
>>> through
>>> the external network.  I can not telnet to the IP I want to nor can I
>>> ping the host.
>>>
>>>
>>> Although I can ping the IP in question directly from the firewall.
>>>
>>> Do I need to do something to enable routing from one nic to the 
>>> other?
>>>> From one network to the other?
>>>>
>>
>> one thing to check is whether ip forwarding is turned on. There is a
>> GUI control for it in the "Network" tab of the firewall object dialog.
>>
>> there is a brief list of things to check here:
>> http://www.fwbuilder.org/archives/cat_troubleshooting.html
>>
>> --vk
>>