After doing some testing and debugging I have
concluded that screend is broken. :)
I am trying to ping 192.168.2.8 from 10.20.1.2 and
vice versa. It works with this config:
default reject;
for 192.168.2.0 netmask is 255.255.255.0;
between any and subnet 192.168.2.0 accept;
but it does not with:
default reject;
for 10.20.1.0 netmask is 255.255.255.0;
between any and subnet 10.20.1.0 accept;
Here is my ifconfig output:
bash-2.04# ifconfig -a
lo0:
flags=100c89<UP,LOOPBACK,NOARP,MULTICAST,SIMPLEX,NOCHECKSUM>
inet 127.0.0.1 netmask ff000000 ipmtu 4096
sl0: flags=10<POINTOPOINT>
tu0:
flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX>
inet 192.168.2.70 netmask ffffff00 broadcast
192.168.2.255 ipmtu 1500
tu1:
flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX>
inet 10.20.1.1 netmask ffffff00 broadcast
10.20.1.255 ipmtu 1500
tun0: flags=80<NOARP>
This does not make sense....something is wrong with my
10.20.1.0 subnet declaration but I cant see it!
Thanks everyone!
--- Nikola Milutinovic <Nikola.Milutinovic_at_ev.co.yu>
wrote:
> Terry wrote:
> > First off, thank you for your help in deciding on
> the
> > best path. Building the kernel for screend was
> easy.
> >
> > I am trying to write a decent screend.conf file
> for my
> > needs. Here is what I have:
> >
> > # Default action
> > default reject;
> >
> > # Subnet declarations
> > for 10.20.0.0 netmask is 255.255.255.0;
> > for 192.168.0.0 netmask is 255.255.255.0;
>
> I never could fathom exactly what this meant. Does
> it mean that any network
> within 192.168.0.0/16 has the masklen of 24. I guess
> so...
>
> > # ICMP actions
> > between any and subnet 10.20.1.0 icmp type any
> accept;
> > between any and subnet 192.168.2.0 icmp type any
> accept;
>
> Try "net" instead of "subnet". May sound silly and
> oposed to the man pages, but
> I've never had luck with "subnet".
>
> > # Other actions
> > between subnet 192.168.2.0 and subnet 10.20.1.0
> accept;
> >
> >
> >
> > I am unable to ping from the two subnets stated
> above,
> > or more specifically, between these hosts:
> >
> > 192.168.2.8 <--> 10.20.1.2
> >
> > I cannot figure out why. I turned on debugging and
> it
> > basically says that the packet is rejected (duh).
> I
> > believe my issue lies within my subnet
> > declarations...any ideas?
>
> Try to run screend with "-d -l -s -r", that will
> print out on your terminal for
> each packet which rules are being applied. Maybe
> that will give you a hint.
>
> Nix.
>
=====
Terry
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online, calculators, forms, and more
http://tax.yahoo.com
Received on Thu Apr 17 2003 - 15:26:23 NZST