From: Alex Boag-Munroe (ajbm@ntlworld.com)
Date: Mon Nov 13 2000 - 12:47:44 PST
Well it turns out in the end his ISP uses a private address range.
However, what I said still stands, the order of interfaces shouldn't matter,
as long as during install he told pmfirewall correctly which was his internal
and external interfaces.
I could, for example, have a ppp link onto a LAN, VPN call it what you will,
but it would still be a private network. I could also have an ethernet card
attached to a cable modem. In theory, my ppp link would have a private
address and my ethernet a public one (unless you use Mr Solomon's
ISP)...would pmfirewall then not work, and I a disgrace to TCP standards
because my config is a tad unorthodox? I think not.
This is a mailling list whose primary function appears to be to help people.
So why don't we do that and be a little less quick on the button to jump on a
mistake that we spot? And also lets not jump on people who try to help
others.
When asked for his config files, people jumped on that saying it is likely
the order in which he is using his ethernet cards. Lets think about it shall
we? People mail this list asking for help, and hasty advice could cause
someone more harm than good. I work in a Network Management Centre and did
work in tech support, so I speak from experience.
My motto? Think first.
I know this was a reply to Patrick, but it is for all those who dealt with
this particular problem, and any others where they may have jumped too soon.
Remember, we get looked up to.
That's my £100 worth.
Alex
On Monday 13 November 2000 12:38, you wrote:
> Alex Boag-Munroe wrote:
> > The gentleman may have his cards the wrong way around according to
> > "standards", however, that won't be why pmfirewall isn't working surely!
> >
> > Alex Boag-Munroe
>
> That wasn't really the point, Alex. I don't think anyone would actually
> know until Shlomo says how his IP address is assigned: ie, either
> through DHCP, in which he receives an address from his Internet Service
> Provider or by a static address that was given to him when he subscribed
> to the service. The usual source of problems is that the networking
> interfaces are not yet up while the ipchains configuration set by the
> PMFirewall script is trying to locate the net configuration on the
> system, which is not set up yet. If you have cable and DHCP, for
> example, and the ISP's server is down for the moment you will not
> receive an IP address and if PMFirewall is set to start up at boot time
> it will generate a long list with 'invalid mask..' messages because it
> can't locate the external interface's address assigned by the ISP, there
> isn't any......Since Shlomo's connection is working fine without the
> firewall script running, it's not about a faulty interface configuration
> but has to do with the PMFirewall script conflicting with his
> interfaces. That was the point that I was addressing. Look in
> pmfirewall.rules.local, at the beginning, and you will see internal
> subnet ranges that are set to DENY, in order to prevent internal
> addresses entering in on the external interface, blocking non-routable
> IP's. If you have the external interface set to eth1 and the internal to
> eth0, there will be problems with those addresses, sooner or later. Any
> networking program that you will install will look for these two pairs
> of interfaces for networking: external=pppo internal=eth0, external=eth0
> internal=eth1. It's for reasons with compatability, there are so many
> different kinds of systems out there that must be able to share some
> sort of rules in order to function properly, together. In order to send
> this e-mail I'm using TCP, not IPX. It wouldn't come through. This is
> probably one of the reasons why Shlomo may be having problems with
> PMFirewall getting to run, the net configuration says one thing while
> his PMFirewall configuration says another....
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:37:44 PDT