Re: Help with ipchains on Potato -- problem with -s?
Looks like a problem with reverse-DNS. Does ipchains -L *chain* -n hang?
Oscar
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 10/11/2001, 2:38:08 PM, Marc Ozon <marc.ozon@utoronto.ca> wrote
regarding Help with ipchains on Potato -- problem with -s?:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Hi,
> I've been trying to configure a firewall using ipchains on a machine
> running pretty much a stock installation of Potato -- I've done the
apt-get
> upgrade but not dist-upgrade. My kernel is the default 2.2.19pre17, and
> given that /proc/net/ip_fwchains exists, I figure it has the appropriate
> support for using ipchains.
> My problem is this: whenever I use ipchains to try to filter by source
> address, i.e. with -s x.x.x.x/x as an option, something goes wrong.
> Details (I'll use *chain* to stand for any one of the chains):
> All the following ipchains commands work properly (i.e. checking with
> ipchains -L returns an intelligible response, and the packet filter seems
> to behave as it should given the ipchains commands):
> ipchains -F *chain*
> ipchains -P *chain* DENY
> ipchains -A input -i lo -j ACCEPt
> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT
> ipchains -A input -j DENY -l
> BUT when I try to filter by source address, e.g.
> ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY
> and check with ipchains -L to see my rule set, ipchains -L just seems to
> hang, and prints out just this:
> Chain input (policy ACCEPT):
> target prot opt source destination ports
> I have to hit ctrl-c to get the prompt back.
> When I look at /proc/net/ip_fwchains, it seems that rules with -s options
> make a change there (i.e. it looks like the rule gets registered there,
> when I check that file with more), but ipchains -L just hangs there.
> One more complication: this doesn't happen every time. Oddly, sometimes
> my whole firewall script runs and everything works -- I get a proper
> response from ipchains -L. But sometimes it doesn't. I've tried to
> establish a pattern, but other than noting that it seems to be using
> ipchains with the -s option that triggers it, I can't seem to detect
> anything that might indicate why it works sometimes but not others.
> Absolutely maddening.
> Any ideas? Anything I'm missing, or anywhere else I can check?
> Thanks,
> Marc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (OpenBSD)
> Comment: For info see http://www.gnupg.org
> iD8DBQE7xfUmwCp3zWOyN7gRAneuAKCggnQ7MIp4sxeEOg2AwUUjRR023wCfVBN6
> kqYlSNPq9dNOkqiGLnCWDqc=
> =9M/Z
> -----END PGP SIGNATURE-----
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: