dkulisie

Hi all,

I am running Sunscreen 3.2 firewall on Solaris9_x86.

I have three NICs there :

iprb0 - yellowd - x.x.x.222 - master DNS server for our domain
iprb1 - yellow - x.x.x.220 - firewall outward interface
iprb2 - yellowbd - 172.16.0.220 - firewall inward interface.

I have one testing WinXP station in private network 172.16. (host130)
and one testing WinXP station in public network.

In 172.16. network there is built Solaris9_x86 with www server -
Apache with SSL - Osirisb with IP 172.16.0.231 . On Osirisb there is
also running DNS server.

I have applied NAT rule for Osirisb to be mapped as www in public
network in our domain. The testing Xp machine host130 is mapped as
host130-static.

1 STATIC "inet-static" "osirisb" "inet-static" "www" COMMENT "osirisb
from Outside"
2 STATIC "osirisb" "inet-static" "www" "inet-static" COMMENT "osirisb
to Outside"
3 STATIC "inet-static" "host130" "inet-static" "host130-static"
COMMENT "host130 from Outside"
4 STATIC "host130" "inet-static" "host130-static" "inet-static"
COMMENT "host130 to Outside"

www has a RR record in yellowd (master DNS for our public internet
domain).
osirisb has a RR record in osirisb (master DNS in 172.16. network).

I have applied an IPfiltering rules for DNS server osirisb (www)

1 "common" "localhost" "*" ALLOW
2 "rip" "*" "*" ALLOW
3 "dns" "inet-static" "dns-allowed" ALLOW COMMENT "DNS from"
4 "dns" "dns-allowed" "inet-static" ALLOW COMMENT "DNS to"
5 "www" "inet-static" "iprb2.net" ALLOW COMMENT "b0 www from"
6 "www" "iprb2.net" "inet-static" ALLOW COMMENT "b0 www to"
7 "ping" "inet-static" "iprb2.net" ALLOW COMMENT "ping from"
8 "ping" "iprb2.net" "inet-static" ALLOW COMMENT "ping to"

where

"dns-allowed" GROUP { "yellowd" "iprb1.net" "iprb2.net" } { }
"host130" HOST 172.16.0.130
"host130-static" HOST x.x.x.130
"inet-static" GROUP { "*" } { "localhost" }
"iprb0.net" RANGE x.x.x.128 - x.x.x.255
"iprb1.net" RANGE x.x.x.128 - x.x.x.255
"iprb2.net" RANGE 172.16.0.0 - 172.16.255.255
"osirisb" HOST 172.16.0.231 COMMENT "DNS-b0Master"
"www" HOST x.x.x.231
"yellowd" HOST x.x.x.222 COMMENT "DNS-c128Master"
"yellow_iprb0" GROUP { } { }
"yellow_iprb1" GROUP { } { }
"yellow_iprb2" GROUP { } { }

I made up an executable file /etc/rc2.d/S72sunscreenARP where I
declare public IPs to reside on MAC addres of iprb1 interface.
I can go whenever on Internet from host130 (WinXP).
I can ping an IP address of master DNS for our domain - IP .222

see DNS222 to resolve it but - "Request timed out" message shows up.
When I try to reach www in browser I get nothing too.

Would you somebody help me ?

Regards
Dusan

jörg freund

Hi Dusan,

I not sure, but do have checked the default gateway´s
on the WinXp Machines?
Windows have somtimes a "extra" behavior,
especially if You have more than one gateway entrie
on these machines......


The traceroute/ping through each interface is working
correct for each interface ? Pinging from the
firewall,

then from the 2 testmachines


maybe You get a hint out of this
--
best regards
Joerg