On Thu, 30 Mar 2000, Jim Hoepner wrote:
I think I'm getting out thru the firewall cause I see it says "Website found" and displays the IP address but sits there "waiting for reply"
I struggled with this early on, and eventually realized I had set a trap for myself and was being misled by it. Are you using the firewall box as a nameserver as well? If so, it's quite possible that you could look up a name and then not be able to do anything with the resulting address. Because when it doesn't know an address, *it* - the nameserver/firewall - originates a request up the DNS hierarchy. The reply doesn't have to go through your firewall, it only has to be accepted back into the nameserver. Then your nameserver, having learned the address, sends it to your workstation. This packet, also, doesn't have to go through the firewall. So you THINK your firewall is sort of working, when it might not be working at all. Start on the firewall itself. Can you, from there, see your other machines? Can you, from there, see the rest of the world? If so, then the machine is networking correctly on both sides. So switch to one of your other machines. You should see the firewall, no problem. Can you see through it to the outside world, by IP address? I'm guessing you can't. This would indicate a problem with the forwarding scripts. The main problem I tripped over with ipchains is that an incoming packet is ALWAYS subject to the input and output chains. If it passes those, a packet that is a reply on a masqueraded connection automatically gets through, and a packet that is actually for the firewall machine is of course already there, and anything else must also pass through the forward chain. I was trying to secure my firewall, rejecting all incoming packets except a few explicitly permitted ports. This had the effect that while I could initiate an outgoing connection, the incoming acknowledgement would be dropped by the firewall. The input rules have to let practically everything in. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/