From: Alex Boag-Munroe (ajbm@ntlworld.com)
Date: Tue Nov 14 2000 - 21:53:34 PST
Denying 0.0.0.0 denies ALL addresses....
On Tuesday 14 November 2000 21:16, you wrote:
> firstly, thanks to all those who offered suggestions. I have to be honest
> and tell you I'm pretty new to networking so I hope I understood the ideas
> presented here, but unfortunately, still no solution.
>
> 1 - The 10.200.1.1 address is the internal address of eth1 which connects
> to my ADSL modem. I don't know why this address was specified by my ISP,
> but it's not the Internet address in any case. You can see that in the ppp0
> entry of ifconfig:
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:212.150.34.7 P-t-P:212.150.34.1 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:43 errors:0 dropped:0 overruns:0 frame:0
> TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:10
>
> In any case, I did try commenting out the line Colin suggested, but it
> didn't solve the problem.
>
> 2 - On 14-Nov-2000 Patrick Benson wrote:
> > Shlomo, I just browsed through the archives and found a post that may
> > help you more than the one I posted yesterday:
> >
> > http://www.pointman.org/PMFirewall/list-archive/0620.html
>
> I must admit I didn't understand this one (after reading the entire
> thread), but I tried cutting and pasting the lines suggested
> into my mfirewall.rules.local file. Again, no luck.
>
> 3 - Here's a real wierd one - I guess I was getting desperate, so I
> decided to comment out eveerything and start uncommenting lines one at a
> time till I find the problem, but believe it or not, with all the lines in
> the
> pmfirewall.rules.local file commented out, I still can't ping out (or use
> Netscape. Another strange thing is that even with all lines commented out
> (essentially an empty file) I still get the following output to the ipchans
> -L -n. The only DENY line seems to be innocent - refering to 0.0.0.0 so I
> don't see a problem, but where are all these rules coming from and of
> course the big question, why can't I get through the firewall with this
> seeminly **innocent** set of ipchains rules?
>
>
>
>
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> ACCEPT tcp !y---- 0.0.0.0/0 10.0.0.0/8 * -> *
> ACCEPT all ------ 192.168.0.0/24 0.0.0.0/0 n/a
> ACCEPT icmp ------ 0.0.0.0/0 10.0.0.0/8 * -> *
> ACCEPT tcp ------ 0.0.0.0/0 10.0.0.0/8 * ->
> 1023:65535
> ACCEPT udp ------ 0.0.0.0/0 10.0.0.0/8 * ->
> 1023:65535
> DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a
> Chain forward (policy DENY):
> target prot opt source destination ports
> ACCEPT all ------ 192.168.0.0/24 192.168.0.0/24 n/a
> ACCEPT all ------ 10.0.0.0/8 0.0.0.0/0 n/a
> MASQ all ------ 192.168.0.0/24 0.0.0.0/0 n/a
> Chain output (policy ACCEPT):
> target prot opt source destination ports
> ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0 n/a
> ACCEPT all ------ 192.168.0.0/24 0.0.0.0/0 n/a
> - tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
> 80 - tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
> 22 - tcp ------ 0.0.0.0/0 0.0.0.0/0 * ->
> 23 - tcp ------ 0.0.0.0/0 0.0.0.0/0 *
> -> 21 - tcp ------ 0.0.0.0/0 0.0.0.0/0
> * -> 110 - tcp ------ 0.0.0.0/0 0.0.0.0/0
> * -> 25 - tcp ------ 0.0.0.0/0 0.0.0.0/0
> * -> 20 ACCEPT icmp ------ 192.168.0.0/24 0.0.0.0/0
> * -> * ACCEPT icmp ------ 10.0.0.0/8 0.0.0.0/0
> * -> * ACCEPT all ------ 0.0.0.0/0 0.0.0.0/0
> n/a
>
>
> 4 - I also discovered that I can PING to one address. Notice the ppp0 entry
> above. I can ping to the following:
>
> PING 212.150.34.7 (212.150.34.7): 56 octets data
> 64 octets from 212.150.34.7: icmp_seq=0 ttl=255 time=0.3 ms
> 64 octets from 212.150.34.7: icmp_seq=1 ttl=255 time=0.3 ms
> 64 octets from 212.150.34.7: icmp_seq=2 ttl=255 time=0.3 ms
> 64 octets from 212.150.34.7: icmp_seq=3 ttl=255 time=0.3 ms
>
> but you can see from the response time that this is an internal address. On
> the other hand, I can only reach the **external** part of the PPTP tunnel
> if I turn off the firewall:
>
> PING 212.150.34.1 (212.150.34.1): 56 octets data
> 64 octets from 212.150.34.1: icmp_seq=0 ttl=64 time=75.9 ms
> 64 octets from 212.150.34.1: icmp_seq=1 ttl=64 time=63.3 ms
> 64 octets from 212.150.34.1: icmp_seq=2 ttl=64 time=46.9 ms
> 64 octets from 212.150.34.1: icmp_seq=3 ttl=64 time=47.0 ms
>
>
>
> //-------------------------
> Shlomo Solomon
> E-Mail: solomon@barak-online.net
> http://come.to/shlomo.solomon
> Date: 14-Nov-2000 Time: 22:48:23
>
> Message sent by XFMail on a LINUX Mandrake 7.2 machine
> //-------------------------
> ***************************************************************************
>* * To UNSUBSCRIBE from the list, send a message with "unsubscribe
> pmfirewall" * in the message body to majordomo@pointman.org. Please direct
> other * questions, comments, or problems to pmfirewall-owner@pointman.org.
> *
> * Need answers fast? Check the list archive located at:
> * http://www.pointman.org/PMFirewall/list-archive/
> *
****************************************************************************
* To UNSUBSCRIBE from the list, send a message with "unsubscribe pmfirewall"
* in the message body to majordomo@pointman.org. Please direct other
* questions, comments, or problems to pmfirewall-owner@pointman.org.
*
* Need answers fast? Check the list archive located at:
* http://www.pointman.org/PMFirewall/list-archive/
*
This archive was generated by hypermail 2b29 : Sun Jun 10 2001 - 02:37:50 PDT