Re: Help with ipchains on Potato -- problem with -s?
-----BEGIN PGP SIGNED MESSAGE-----
That was easy -- both Oscar and David seem to have found the cause and the
solution of the problem I was having. Checking my firewall with ipchains
- -L hung up sometimes when it was doing a reverse-lookup of the IP addresses
in the rules, so ipchains -L -n (to prevent the DNS lookup) worked fine.
Many thanks to you both!
On Thu, 11 Oct 2001, Oscar Pearce wrote:
>Looks like a problem with reverse-DNS. Does ipchains -L *chain* -n hang?
On Fri, 12 Oct 2001, David Anso wrote:
>Run "ipchains -L -n" to stop the DNS trying to lookup the 192 address. It
>appears it's all working, but trying to find the DNS name of 192.168.0.0
My original message:
>> I've been trying to configure a firewall using ipchains on a machine
>> running pretty much a stock installation of Potato -- I've done the
>> upgrade but not dist-upgrade. My kernel is the default 2.2.19pre17, and
>> given that /proc/net/ip_fwchains exists, I figure it has the appropriate
>> support for using ipchains.
>> My problem is this: whenever I use ipchains to try to filter by source
>> address, i.e. with -s x.x.x.x/x as an option, something goes wrong.
>> Details (I'll use *chain* to stand for any one of the chains):
>> All the following ipchains commands work properly (i.e. checking with
>> ipchains -L returns an intelligible response, and the packet filter seems
>> to behave as it should given the ipchains commands):
>> ipchains -F *chain*
>> ipchains -P *chain* DENY
>> ipchains -A input -i lo -j ACCEPt
>> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
>> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT
>> ipchains -A input -j DENY -l
>> BUT when I try to filter by source address, e.g.
>> ipchains -A input -i eth0 -s 192.168.0.0/16 -j DENY
>> and check with ipchains -L to see my rule set, ipchains -L just seems to
>> hang, and prints out just this:
>> Chain input (policy ACCEPT):
>> target prot opt source destination ports
>> I have to hit ctrl-c to get the prompt back.
>> When I look at /proc/net/ip_fwchains, it seems that rules with -s options
>> make a change there (i.e. it looks like the rule gets registered there,
>> when I check that file with more), but ipchains -L just hangs there.
>> One more complication: this doesn't happen every time. Oddly, sometimes
>> my whole firewall script runs and everything works -- I get a proper
>> response from ipchains -L. But sometimes it doesn't. I've tried to
>> establish a pattern, but other than noting that it seems to be using
>> ipchains with the -s option that triggers it, I can't seem to detect
>> anything that might indicate why it works sometimes but not others.
>> Absolutely maddening.
>> Any ideas? Anything I'm missing, or anywhere else I can check?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----