From: Patrick Benson (benson@chello.se)
Date: Sun Nov 12 2000 - 15:49:02 PST
Before you send an output from an ipchains -L -n command I would
*strongly* suggest that you switch your eth0 and eth1 interfaces so that
eth0 is for your internet interface and eth1 for your internal
interface. This is actually the "default" configuration for ethernet
configurations in Linux, during the boot process and system
initialization:
http://www.linuxdocs.org/Net-HOWTO-5.html#ss5.3
The problem is that when you begin to install software, especially
important networking tools that you may want to use, to monitor your
firewall or maybe test your networking conditions in a certain fashion,
the install scripts will be looking for eth0 first and then eth1 after
that and if you have it the other way round this may cause unreliable
output that you could misinterpret and *that* could be dangerous. It
would also be helpful if you can state, more specifically, how your
connection to the ISP is setup: do you have a static IP address or do
use DHCP, or maybe some other like PPPoE, PPtP, etc.? Why these are
important points is just so that you will not have any holes in your
firewall once it is up and running........
solomon@barak-online.net wrote:
>
> I wrote about this a few weeks ago and no-one was able to help, so I'm writing
> again. Since my previous request for help, I've updated from Mandrake 7.0 to
> 7.2 and re-installed pmfirewall, but I still have the same problem as before. I
> hope someone can help.
> I downloaded pmfirewall and installed it after reading all the documentation.
> I also followed an excellent on-line tutorial on the Linux Mandrake site. All
> the questions and answers in the installation process (sh install.sh) were
> explained very well.
>
> I have a LINUX box (Pentium 500) with two NICs - eth0 connects to my home
> network and eth1 connects to an ALCATEL ADSL modem. Before installing
> pmfirewall, I could connect to the INTERNET and do anything I want on the
> LINUX box. The WIN98 box, did not see the INTERNET. The point of installing
> pmfirewall was to act as a firewall on the LINUX box and also top provide IP
> Masqerading to allow the Win98 box to surf the INTERNET.
>
> After running pmfirewall start, I could no longer do anything on the INTERNET
> - I couldn't reach any address with PING, TRACEROUTE, OR Netscape. This applies
> to both the LINUX box connected via ADSL to the INTERNET and to a WIN98 machine
> on the network.
>
> Although during the install process, I answered all the **default** answers
> (except of course to identify eth0 as my internal device and eth1 as my
> external device) I thought maybe I'd set up one or more of the rules wrongly.
> So as an experiment, I re-installed and this time answered all the **wrong**
> answers and allowed **EVERYTHING** (obviously not the intent of the
> FireWall but I was experimenting) to see if this would solve the problem. But I
> still couldn't do anything on the INTERNET. Running pmfirewall stop immediately
> solved the problem.
>
> The strangest thing is that if I run pmfirewall masqstart, I can use both
> machines. I can now surf the INTERNET from the WIN98 machine on my home networ
> k. So the IP Masquerading part of the program is working. But the Firewall is
> **too good** and apparantly blocking everything!!!!!
>
> Any ideas what to look for to see why this is happening??
>
> If anyone is interested, I'd be glad to send configuration files and/or the
> output of "ipchains -l" before and after each command.
>
> TIA
>
> //-------------------------
> Shlomo Solomon
> E-Mail: solomon@barak-online.net
> http://come.to/shlomo.solomon
> Date: 12-Nov-2000 Time: 21:54:12
>
> Message sent by XFMail on a LINUX Mandrake 7.2 machine
> //-------------------------
-- Patrick Benson Stockholm, Sweden **************************************************************************** * To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall" * in the message body to majordomo@pointman.org. Please direct other * questions, comments, or problems to pmfirewall-owner@pointman.org. * * Need answers fast? Check the list archive located at: * http://www.pointman.org/PMFirewall/list-archive/ *
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:37:43 PDT