This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What arguments does the "Live Log: Packet filter" accept?

Hi.

I have a computer connected on the "outside" to an ASG v7 firewall, with no intervening devices. I can ping to the firewall's outside IP address (let's call that address "A") from that computer. I have one NAT rule that I want to set up, which will hide the internal address (let's call that internal IP address "B") from the outside world. I believe this is the most common way to configure NAT: outside address accessible to the world, but inside address hidden from the outside world.

So, the NAT rule I have set up is DNAT:

traffic source: any
traffic service: any
traffic destination: A+1

NAT mode: DNAT

destination: B
destination service: any

Automatic packet filter rule: checked.

I have a single packet filter rule, Rule 1, set up: ANY -> ANY -> ANY (anything coming from any address, going to any address, using any protocol, should be allowed).

I initiate a ping request to A - that works.
I initiate a ping request to A+1 - that doesn't work.
I initiate a ping request to B - that works!!!

Furthermore, every time I initiate a ping, I watch the "Live Log: Packet filter", but all I get are "Webadmin Connection" lines (since I have the Webadmin interface opened up in a separate window). I have two questions about that:

1. Why don't I see any pings in the "Live log", either when pinging to A, A+1, or B? (I do have every ICMP and Ping checkbox checked on in the ICMP tab of the Network Security -> Packet Filter screen.)

2. How can I use the "Filter" text field to either hide all the "Webadmin Connection" lines, or just show any ping activities? I have looked around the documentation to see what arguments that packet filter will accept, but have not seen a word about that.

Ironically, I can ping into the internal network through the firewall, so I get ping replies from B, B+1, B+2. (I did tell Astaro to let pings go through, but I was expecting to get ping replies from A+1, A+2, etc.)

After that, I tried to change the "DNAT" to "SNAT", then "Full NAT". No matter what I set it to, I still get the same results: I can ping into the internal network (B addresses), not the A+1 addresses, but I never see any ping activities on the "Live Log: Packet filter" screen.

What have I colossally hosed up???

Thanks for your advice.

This thread was automatically locked due to age.

Parents

0 BarryG over 15 years ago

Hi,
All changes are saved to disk, and a reboot is unnecessary except after some up2date patches.
You can have the firewall email you a backup file every night, which is a very good idea.

The default policy is DROP, but keep in mind that if you have gone through the setup wizard that some rules may already be created (they will appear in the PacketFilter page).

If you've enabled the http proxy, ports 80, 443, and possibly FTP traffic will be allowed through it.

The SOCKS proxy, if enabled, will allow any traffic, although passwords can be assigned.

DNAT rules and VPNs can be created with "Auto PacketFilter rules", which will NOT appear on the main PacketFilter page.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BarryG over 15 years ago

Hi,
All changes are saved to disk, and a reboot is unnecessary except after some up2date patches.
You can have the firewall email you a backup file every night, which is a very good idea.

The default policy is DROP, but keep in mind that if you have gone through the setup wizard that some rules may already be created (they will appear in the PacketFilter page).

If you've enabled the http proxy, ports 80, 443, and possibly FTP traffic will be allowed through it.

The SOCKS proxy, if enabled, will allow any traffic, although passwords can be assigned.

DNAT rules and VPNs can be created with "Auto PacketFilter rules", which will NOT appear on the main PacketFilter page.

Barry
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data