[Firehol-support] Basic lan gateway

Costa Tsaousis costa at tsaousis.gr
Sun Jun 26 09:37:34 BST 2005 

Hi,

system logs are your friend. If firehol is dropping traffic there should
be some logs about it. Have you checked it?

For sure 10/s is low...

Regards,

Costa


On Thu, June 23, 2005 13:34, Marcus Williams said:
> Hi -
>
> I set up a new machine last week with firehol as a basic lan gateway.
> The config I used was (standard tutorial tweaked for certain services
> and from ppp to eth1 for internet):
>
> 	version 5
>
> 	# The network of our eth0 LAN.
> 	home_ips="192.9.200.0/24"
>
> 	interface eth0 home src "${home_ips}"
> 		policy reject
> 		server "dns ssh icmp"	accept
> 		client "icmp"	accept
>
> 	interface eth1 internet src not "${home_ips} ${UNROUTABLE_IPS}"
> 		protection strong 10/sec 10
> 		server ident reject with tcp-reset
> 		client all		accept
>
> 	router internet2home inface eth1 outface eth0
> 		masquerade reverse
> 		client all	accept
> 		server ident	reject with tcp-reset
>
> eth1 gets a private IP of 192.168.0.2 via dhcp from the adsl router. DNS
> is running on this box serving as a dns cache for external dns, and as
> standard dns for internal dns requests if you see what I mean. You can
> do both internal and external DNS requests from this box with no
> problems and internet access works fine.
>
> This was working all week until the machine got rebooted this morning
> and the routing of external dns queries has just stopped. LAN machines
> can query internal machine hostnames  from this box, but external
> queries just break very quickly with cannot connect to server errors.
> You can ping an external IP so the masq seems to be working. DNS appears
> to be knackered though from the internal LAN.
>
> If I watch the traffic on eth1 with tcpdump dns queries are occuring but
> they've already timed out on the querying machine (it comes back with
> the error pretty fast). I'm wondering if I'm missing something in the
> config? Perhaps the protection limits are breaking things?
>
> Any ideas?
>
> Thanks
>
> Marcus
>
>
> --
> Marcus Williams -- http://www.cad-schroer.co.uk
> CAD Schroer UK, 39 Newnham Road, Cambridge, UK
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>

More information about the Firehol-support mailing list