Date: Tue, 5 Apr 2005 08:33:01 -0700 From: Chip Wiegand <chip.wiegand@simrad.com> To: jbell@stelesys.com Cc: FreeBSD List <freebsd-questions@freebsd.org> Subject: Re: screwy network/dmz problem Message-ID: <OFDB78C51E.E9D0D09C-ON88256FDA.005106AA-88256FDA.00556B7D@km.kongsberg.com> In-Reply-To: <4218.24.98.86.57.1112659882.squirrel@24.98.86.57>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jerry Bell" <jbell@stelesys.com> wrote on 04/04/2005 05:11:22 PM: > The first thing I would check is that it's the BSD box that you are > actually pinging. I'd try unplugging it and trying the ping again from > the IIS box. Barring that, I would double and triple check the network > mask on the BSD box. Also, make sure you don't have some screwy firewall > rules on the BSD server that prevent outbound pings. > Next, look at the output of 'netstat -rn' Results of netstat -rn: destination gateway flags refs use netif default 157.237.165.1 ugs 0 122 fxp0 127.0.0.1 127.0.0.1 uh 0 6 lo0 157.237.165/29 link#1 uc 0 0 fxp0 157.237.165.1 00:02:b3:a4:c2 uhlm 1 0 fxp0 > You should see entries for the default gateway as well as your local > network. If all looks good there, check your arp table with arp -a. Results of arp -a: ?(157.237.165.1) at 00:02:b3:bd:c2 on fxp0 [ethernet] ?(157.237.165.2) at 00:0d:61:70:df on fxp0 [ethernet] ?(157.237.165.4) at 00:eo:18:c2:12 on fxp0 [ethernet] > If you don't see anything there, it's probably a layer 1 or 2 problem > (cabling/vlan). There are 3 boxes on the dmz - 157.237.165.2 is the IIS box. It gets no ping reply from the BSD box and the firewall. It does get a reply from the win2003 box. It has full internet access. It is a current, working, 'live' web server for authorized users only. 157.237.165.4 is a WIN2003 box and it gets ping responses from the IIS box and the BSD box, no response from the firewall, and no internet access. 157.237.165.5 is the BSD box, gets a ping response from the IIS box only, no response from the win2003 box, or firewall, and no internet access. (157.237.165.1 is the firewall dmz nic itself, the gateway for all 3 boxes) I'm guessing that there is a rule on the firewall that has closed the internet connection for these two additional boxes. The IIS was the first to be set up a year of so ago. There must also be a rule on the firewall that drops all incoming ping requests. Questions from the above: Why does BSD box get reply from the IIS box, yet the IIS box get no reply from the BSD box? Why does the IIS box get reply from the Win2003 box, yet not from the BSD box? All 3 boxes have the same network setup, except for this: There is no 'domain' for the 3 boxes. The IIS box is on its own workgroup DMZ, the win2003 box is its own domain 'test.local'. The BSD box has 'domain simrad.com' as the first line of resolv.conf. What are the implications of this? I will be sending a message to the firewall administrator in Norway (I am in the US) with the info above, maybe he can find something on the firewall to change to make everything work. I hope. Regards, Chip > There are many many possibilities for what could be wrong, but it's hard > for us to say. Let us know what you find on those tests. > > Jerry > http://www.syslog.org > > > here in our office we have a firewall running Firewall-1 (it is > > administered remotely from another office in another country). It is set > > up with a dmz so I can host a web server (which is running IIS), but it > > works. I am now adding another web server, running Apache/FreeBSD. Problem > > is the FBSD box does not ping anything. The IIS box can ping the FBSD box > > and get a response from it. I have used the same network settings on the > > FBSD box that are on the IIS box, changing only the ipaddress. I don't > > understand why the FBSD box only responds with network not found when > > trying to ping anything. Now the IIS box is not a member of any network, > > it is it's own workgroup called DMZ. Is the problem that the FBSD box > > needs to be a member of the workgroup DMZ? And if so, how do I get it > > there? > > > > Regards, > > Chip > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > > "freebsd-questions-unsubscribe@freebsd.org" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFDB78C51E.E9D0D09C-ON88256FDA.005106AA-88256FDA.00556B7D>