Hi Chris,

Am 17.01.2005 um 10:36 schrieb Chris Buechler:
>
> Can you send some more details on that?  Specifically, what is the
> rule that's dropping it?  Dropping the ICMP redirect, or?  Sounds like
> that might be a bug, or an unintended consequence at least.
>

Sure, here we go:
First of all, please note that I do have some knowledge about firewalls 
and routing, but I'm new to monowall. So I apologize for any dumb 
mistake in advance ;)

We installed monowall for testing and played around with it. As I 
pointed out, there are two things which are mandatory for our network 
layout so far:

1. Internal icmp redirects
2. port based forwarding into LAN or DMZ with several valid IP's on the 
WAN side (i.e. IP1:80 --> Lan-Server1:80, IP2:80 --> DMZ-Server2:81 and 
so on).

During playing around with monowall's possibilities, we met the traffic 
shaper and enabled it. Afaik this is the only spot where ipfw is still 
used, isn't it? But anyway, after trying to get icmp redirects working, 
I looked at the rules directly via exec.php and "ipfw show". And there 
I noticed a rule with number 19902 with the content "deny from any to 
any" after some rules I connected to the traffic shaper. It was located 
at the last but third or forth place in the list. I deleted that rule 
manually, and of course the icmp redirects worked immediatly.

One silly thing and the myth for today is:
To anser your question I tried to reproduce it this a moment ago and I 
didn't manage. I did exactly as last week (used magic shaper wizard, 
installed the rules) and looked at the rules. One thing I notice is 
that any rule has a number above 50000. So, where do ipfw-rules with 
numbers about 19900 come from? I must have done something in addition 
to that.

Quite irritated,
Harald

--
consultant systeme / professional services

denkwerk | vogelsanger straße 66 | d-50823 köln
telefon +49 221 2942 200 | telefax +49 221 2942 101
www.denkwerk.com