Odd firewall problem.
Mon, 24 Sep 2001 21:12:48 -0700 (PDT)
That doesn't quite sound like the problem I'm having, I'll try the first
suggestion I got and see if that works first.
On Mon, 24 Sep 2001, Charles Stack wrote:
> I had a similar problem, except that I couldn't see my firewalled servers
> from inhouse at all using the public ip's.
> I solved the problem by running a DNS server that resolved my domains to my
> internal network addressing while when on the corporate LAN. Outside, the
> DNS servers point to the public servers.
> -----Original Message-----
> From: email@example.com
> [mailto:firstname.lastname@example.org]On Behalf Of Cameron
> Sent: Monday, September 24, 2001 6:20 PM
> To: Netfilter Mailing List
> Subject: Odd firewall problem.
> I sent this email originally a few days ago, at which point I figured
> something had to be wrong with the list as I no emails from it, anyway,
> here's the email:
> I'm new to this list, I've been looking over the archives a bit to see if
> I could find anyone else with the same problem as myself and hopefully
> with a solution, I have not (I haven't looked that far back I admit). So I
> decided to join the mailing list and see what help I could get.
> Anyway, here's my problem, I run Debian Linux on my PowerPC (it's an older
> motorola starmax clone, 4000/200 with a 200 mhz 604e) and use it for my
> firewall. My firewall seemed to be fine until I reinstalled a while ago.
> Once I reinstalled I got this odd problem. so I reinstalled two more
> times hoping that would fix it, the problem is still there unfortunately.
> I'm using the same exact scripts as I was before. My version of iptables
> and kernel are a bit different though I doubt that would effect me much.
> I was running iptables 1.2.2 previously, and kernel version
> I currently have iptables 1.2.3 (I was using 1.2.2 earlier on this
> install) and I am using kernel 2.4.10-pre11.
> Ok, now the problem I get is really weird, I can view webpages on some
> servers, but not others from systems behind the firewall, but I CAN view
> these webpages from these servers from the firewall itself (using lynx).
> The problem doesn't appear to be the rules I've setup, I've tried setting
> all table policies to "ACCEPT" and I only had the rule of
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE The firewall still
> continued to have the same problem.
> It appears that when a system behind the firewall attempts to connect,
> there is some ineraction between the client and the server, but then the
> connection dies or is perhaps dropped by the firewall. Perhaps the
> connection isn't properly being tracked?
> I'm using Pacific Bell ADSL via PPPoE, and have been the whole time, even
> before this problem came about.
> Regardless of the web browser I use, all the browser does is attempt to
> connect, the connection almost starts up, there is some talking between
> the server and the client system, but then I guess the connection is
> dropped, the browser just sorta hangs while it keeps waiting for data to
> be recieved.
> I've tried FreeBSD, Solaris, Linux, Windows2000, NT 4.0, and Windows 98,
> all them have this problem. I've also tried netscape, IE, mozilla, links,
> lynx and galeon.
> Here's is one url I am unable to connect to from any system behind the
> firewall, but am able to connect to from the firewall itself:
> I've run ethereal to try and see what's going on from my system (a system
> behind the firewall), my system behind the firewall attempts to connect,
> it sends out some packets, the server responds with packets of it's own,
> my system makes an http request, and never gets a response, so the
> browser just keeps waiting for the response that it was supposed to get,
> but never comes. Fortunately, I do not have this problem with most web
> servers, but there's an annoying amount of systems that I do have
> problems with (idsoftware.com is a good example).
> If anyone would like me to give any additional/specific information, just
> tell me what you'd like to see/know.
> Thanks in advance!
> Sorry for the long email, I Just want to make sure I covered all that I
> could think of.