firewall problem

lyceum · 08-21-2003, 07:34 PM

i have recently been trying to configure my laptop (rh9) to use on my existing home network. network config is as follows: cable modem -> xp box -> belkin 5 port switch -> various boxes, including this one (the only linux...for shame). internet sharing is enabled, addresses assigned via dhcp. using zone alarm firewall (the free one

) and the problem is this...linux box will not connect to internet.

no problems with other comps.

when i disable the firewall, my laptop connects without a problem, and even when it is enabled i am able to ping both ways.

i understand that someone will suggest that the linux box should be the gateway (and preferably all others linux as well), but this is the only way that it will work. (don't ask)

any suggestions? i've tried tinkering with the settings of the firewall, with no success. it provides an option to add an ip or range of ips to the "trusted zone", but i've tried the usual suspects (192.168.0.1, 192.168.0.2, etc) with no success.

leonscape · 08-21-2003, 07:43 PM

What firewall are you using?

Also have you selected the protocols/ports to let through? like http, pop3, smtp... the list goes on

Oh and get yourself a router and drop the Hub, its faster and a lot easier they also come with firewalls built-in. As well as all sorts of other stuff. (You can pick one up for about $45+)

Cable Modem -> Router -> Multiple Machines.

lyceum · 08-21-2003, 07:53 PM

should have specified that it is the xp box running zone alarm firewall, as for the linux box, have not set up a firewall, went through internet configuration wizard in kde.

leonscape · 08-21-2003, 08:02 PM

So the Linux box is on the Local Network, hmmm.

What does the Zone alarm Log say?

Probably the easiest thing to do is clear the log, and then try to contact with the Linux Machine, and see what comes up in the log, it might lead you to the answer.

lyceum · 08-21-2003, 10:34 PM

i have found that by reducing the security level for "internet zone" on the xp machine, that my laptop is able to access the internet. this level makes the computer visible to the outside world while blocking access to its resources according to zone alarm . it would seem that the only difference in this is perhaps my laptop could not see the computer before, since it is allowed to use the resources but couldn't.

that would lead me to think that perhaps i am using the wrong ip address to identify my laptop (in adding it to the "trusted zone" that can both see my xp mach. and use its resources.) this may sound like the noob question that it is, but how can i check my ip in linux?

leonscape · 08-21-2003, 10:43 PM

ifconfig on a console should give you a read out.

inet addr: 192.168.0.185

Or similar. Make sure your root though.

steely · 08-22-2003, 10:54 PM

You sure the rehat box isn't running the iptables firewall? They turn it on by default after you install. You might want to check that out.

Looking_Lost · 08-23-2003, 01:40 AM

Maybe try this firewall as it has built in ICS support unlike the free zone alarm which can be a bugger, it's free too

http://smb.sygate.com/products/spf_standard.htm

If you are using redhat and you can ping away to your hearts content but not access a website by name I'd

iptables --list

to make sure for definite there is no firewall settings and check my dns server settings in

/etc/resolv.conf

lyceum · 08-23-2003, 11:03 AM

indeed lokkit is running. here is the output from iptables --list

Code:

[root@localhost root]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (2 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT     udp  --  anywhere             anywhere           udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
[root@localhost root]#

the dns ips from /etc/resolv.conf are correct for what was given from my isp.

i don't understand exactly why however that it works when changing the security level in zone alarm. wouldn't that suggest that lokkit is not the problem? thanks for the sygate link, i might give that one a try...would like to get this one to work however...if for no other reason than i don't like something getting the better of me.