Re: (PM) ip filter problems

Arnaud Girsch (agirsch@OASysGroup.com)
Fri, 1 May 1998 17:16:25 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Josh Richards: "Re: (PM) ComOS 3.8b15 rebooting problem"
Previous message: Allan Worley: "(PM) lucent and spacial relations..."

> internet.in:
>
> 1 deny 192.168.1.128/25 0.0.0.0/0 ip
> 2 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 80 estab
> 3 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 21 estab
> 4 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 20 estab
> 5 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 23 estab
> 6 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 3264 estab
> 7 permit 0.0.0.0/0 0.0.0.0/0 udp src eq 53
> 8 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
> 9 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 53
> 10 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 53
> 11 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 21
> 12 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 20
> 13 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 3264
> 14 permit 0.0.0.0/0 192.168.1.128/25 tcp src eq 25 estab
> 15 permit 0.0.0.0/0 192.168.1.128/25 tcp dst eq 25
> 16 permit 0.0.0.0/0 0.0.0.0/0 icmp
>
> internet.out:
>
> 1 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 80
> 2 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 21
> 3 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 20
> 4 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 23
> 5 permit 0.0.0.0/0 0.0.0.0/0 udp src eq 53
> 6 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
> 7 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 53
> 8 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 53
> 9 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 3264
> 10 permit 0.0.0.0/0 192.168.1.128/25 tcp dst eq 25
> 11 permit 192.168.1.128/25 0.0.0.0/0 tcp src eq 25 estab
> 12 permit 192.168.1.128/25 0.0.0.0/0 tcp src eq 21 estab
> 13 permit 192.168.1.128/25 0.0.0.0/0 tcp src eq 20 estab
> 14 permit 0.0.0.0/0 0.0.0.0/0 tcp src eq 3264 estab
> 15 permit 0.0.0.0/0 0.0.0.0/0 icmp
>
> I am using thr 192.168.1.0 network and split it into two subnets, one
> protected the other not. The later is the one I am protecting.
>
> I get almost all working EXCEPT anything using udp - dns, traceroute.

DNS should work, since you permit'ed anything incoming/outgoing on port 53
(bot TCP and UDP).

For Traceroute, you'd need to open up incoming UDP traffic over 33000 (which
is the default start of traceroute).

If it doesn't work, what you may want to try is to log (add the "log" keyword)
in your rules, and see which one is making the request fail.

Arnaud.

--
Arnaud C. Girsch      -+-       The OASys Group, Inc. - A Cabletron Subsidiary
agirsch@OASysGroup.com  -+- Tel: 408-872-0203 Fax: 408-872-0210 - Saratoga, CA
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Josh Richards: "Re: (PM) ComOS 3.8b15 rebooting problem"
Previous message: Allan Worley: "(PM) lucent and spacial relations..."