[Wlug] Routing problem -can I believe the ISP tech? #2

Richard Goodman dick@goodman1.net
Tue, 5 Nov 2002 20:49:39 -0500 

>  >
>>  Firewall is based on IPChains firewall from Ziegler's book "Linux
>>  Firewalls" 1st ed, which denies all then allows as needed. I've
>>  triple-checked the firewall -- the only non-comment changes made were
>>  all added ACCEPT statements, all cut&pasted from the Home firewall.
>>  There are no IP-specific denies that I added to the firewall - and I
>>  haven't updated rc.firewall.blocked in months.
>
>Sounds like you're further up on Linux firewalling than I am, actually. For
>myself, I run a modified Linux Router Project disk image, and let NAT and
>Portsentry take care of most of my issues. If you say it's clean, then it
>must be clean. Understand though, the techs will NEVER believe this. At ALL.
>If you made changes to a firewall and then you couldn't access, it's
>Somebody Else's Problem, and that's their professional opinion. (I should
>know, I was one. :) )
>
Well, the problem was in the firewall, but it doesn't explain 
EVERYTHING that happened.

After two hours on the phone Mon afternoon with Qwest tech support 
level 2, they insisted I try ping/traceroute with the firewall 
disabled. Pings moved through as expected ...hmmmm

I'd been through the firewall code so many times I just about had it 
memorized, so I decided to look at the file rc.firewall.blocked which 
it reads, which has of a list of IPChains statements blocking IP#s 
(which the main firewall doesn't do).

I hadn't really updated this much recently, because when someone 
started banging on the firewall, it was tough to know if it was a 
static IP or not. Anyways ... found TWO entries that were <Home 
IP#>/24 and <Home network>/24 ... basically the same thing. Don't 
remember putting THOSE in there <g>

When I rebuilt the last hacked machine (EFO) I copied rc.firewall and 
rc.firewall.blocked from the home machine, because I couldn't read 
the copies I'd backed up from EFO.... so the block against the Home 
IP was at both ends of the link.

The only mystery is why everything worked for two hours Friday night 
before I reloaded the EFO firewall -- because the rc.firewall.blocked 
file hadn't been changed in more than a week, and had already been 
loaded with the firewall when I first brought up the EFO server on 
Friday.

Now if I could get any takers on finding out why none of my servers 
can send email to each other (but only each other) since they were 
upgrade from RH7.0 to RH7.3 (sendmail 8.11.6) I'll be all set. [Email 
to list 10/31]

Dick