Re: Help with ipchains on Potato -- problem with -s?

To: <marc.ozon@utoronto.ca>
Cc: <debian-firewall@lists.debian.org>
Subject: Re: Help with ipchains on Potato -- problem with -s?
From: Oscar Pearce <oscar@pearceenterprises.com>
Date: Thu, 11 Oct 2001 19:45:34 GMT
Message-id: <20011011.19453423@kessel.pearceenterprises.com>
In-reply-to: <Pine.BSO.4.33.0110111125550.29921-100000@ice.massey.utoronto.ca>
References: <Pine.BSO.4.33.0110111125550.29921-100000@ice.massey.utoronto.ca>

Looks like a problem with reverse-DNS.  Does ipchains -L *chain* -n hang?

Oscar

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 10/11/2001, 2:38:08 PM, Marc Ozon <marc.ozon@utoronto.ca> wrote 
regarding Help with ipchains on Potato -- problem with -s?:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1




> Hi,

> I've been trying to configure a firewall using ipchains on a machine
> running pretty much a stock installation of Potato -- I've done the 
apt-get
> upgrade but not dist-upgrade.  My kernel is the default 2.2.19pre17, and
> given that /proc/net/ip_fwchains exists, I figure it has the appropriate
> support for using ipchains.

> My problem is this:  whenever I use ipchains to try to filter by source
> address, i.e. with -s x.x.x.x/x as an option, something goes wrong.

> Details (I'll use *chain* to stand for any one of the chains):

> All the following ipchains commands work properly (i.e. checking with
> ipchains -L returns an intelligible response, and the packet filter seems
> to behave as it should given the ipchains commands):

> ipchains -F *chain*
> ipchains -P *chain* DENY
> ipchains -A input -i lo -j ACCEPt
> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT
> ipchains -A input -j DENY -l

> BUT when I try to filter by source address, e.g.

> ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY

> and check with ipchains -L to see my rule set, ipchains -L just seems to
> hang, and prints out just this:

> Chain input (policy ACCEPT):
> target     prot opt     source                destination           ports


> I have to hit ctrl-c to get the prompt back.

> When I look at /proc/net/ip_fwchains, it seems that rules with -s options
> make a change there (i.e. it looks like the rule gets registered there,
> when I check that file with more), but ipchains -L just hangs there.

> One more complication:  this doesn't happen every time.  Oddly, sometimes
> my whole firewall script runs and everything works -- I get a proper
> response from ipchains -L.  But sometimes it doesn't.  I've tried to
> establish a pattern, but other than noting that it seems to be using
> ipchains with the -s option that triggers it, I can't seem to detect
> anything that might indicate why it works sometimes but not others.
> Absolutely maddening.

> Any ideas?  Anything I'm missing, or anywhere else I can check?

> Thanks,
> Marc



> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (OpenBSD)
> Comment: For info see http://www.gnupg.org

> iD8DBQE7xfUmwCp3zWOyN7gRAneuAKCggnQ7MIp4sxeEOg2AwUUjRR023wCfVBN6
> kqYlSNPq9dNOkqiGLnCWDqc=
> =9M/Z
> -----END PGP SIGNATURE-----


> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Help with ipchains on Potato -- problem with -s?
  - From: Marc Ozon <marc.ozon@utoronto.ca>

References:
- Help with ipchains on Potato -- problem with -s?
  - From: Marc Ozon <marc.ozon@utoronto.ca>

Prev by Date: Help with ipchains on Potato -- problem with -s?
Next by Date: Re: Help with ipchains on Potato -- problem with -s?
Previous by thread: Help with ipchains on Potato -- problem with -s?
Next by thread: Re: Help with ipchains on Potato -- problem with -s?
Index(es):
- Date
- Thread