[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help with ipchains on Potato -- problem with -s?

Hash: SHA1

That was easy -- both Oscar and David seem to have found the cause and the
solution of the problem I was having.  Checking my firewall with ipchains
- -L hung up sometimes when it was doing a reverse-lookup of the IP addresses
in the rules, so ipchains -L -n (to prevent the DNS lookup) worked fine.

Many thanks to  you both!


On Thu, 11 Oct 2001, Oscar Pearce wrote:

>Looks like a problem with reverse-DNS.  Does ipchains -L *chain* -n hang?

On Fri, 12 Oct 2001, David Anso wrote:

>Run "ipchains -L -n" to stop the DNS trying to lookup the 192 address.  It
>appears it's all working, but trying to find the DNS name of

My original message:

>> Hi,
>> I've been trying to configure a firewall using ipchains on a machine
>> running pretty much a stock installation of Potato -- I've done the
>> upgrade but not dist-upgrade.  My kernel is the default 2.2.19pre17, and
>> given that /proc/net/ip_fwchains exists, I figure it has the appropriate
>> support for using ipchains.
>> My problem is this:  whenever I use ipchains to try to filter by source
>> address, i.e. with -s x.x.x.x/x as an option, something goes wrong.
>> Details (I'll use *chain* to stand for any one of the chains):
>> All the following ipchains commands work properly (i.e. checking with
>> ipchains -L returns an intelligible response, and the packet filter seems
>> to behave as it should given the ipchains commands):
>> ipchains -F *chain*
>> ipchains -P *chain* DENY
>> ipchains -A input -i lo -j ACCEPt
>> ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT
>> ipchains -A input -i eth0 -p icmp --destination-port 0 -j ACCEPT
>> ipchains -A input -j DENY -l
>> BUT when I try to filter by source address, e.g.
>> ipchains -A input -i eth0 -s -j DENY
>> and check with ipchains -L to see my rule set, ipchains -L just seems to
>> hang, and prints out just this:
>> Chain input (policy ACCEPT):
>> target     prot opt     source                destination           ports
>> I have to hit ctrl-c to get the prompt back.
>> When I look at /proc/net/ip_fwchains, it seems that rules with -s options
>> make a change there (i.e. it looks like the rule gets registered there,
>> when I check that file with more), but ipchains -L just hangs there.
>> One more complication:  this doesn't happen every time.  Oddly, sometimes
>> my whole firewall script runs and everything works -- I get a proper
>> response from ipchains -L.  But sometimes it doesn't.  I've tried to
>> establish a pattern, but other than noting that it seems to be using
>> ipchains with the -s option that triggers it, I can't seem to detect
>> anything that might indicate why it works sometimes but not others.
>> Absolutely maddening.
>> Any ideas?  Anything I'm missing, or anywhere else I can check?
>> Thanks,
>> Marc

Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org


Reply to: