On Saturday, May 14, 2011 03:27:53 PM JD wrote: > On 05/14/11 12:55, Rick Sewill wrote: > > On Saturday, May 14, 2011 10:46:51 AM JD wrote: > >> On 05/14/11 09:17, Rick Sewill wrote: > >>> On Saturday, May 14, 2011 09:27:55 AM JD wrote: > >>>> On 05/14/11 08:48, G.Wolfe Woodbury wrote: > >>>>> On 05/14/2011 09:36 AM, JD wrote: > >>>>>> On my F14, I am running a firewall that accepts specific connection > >>>>>> on specific ports from some machines on the LAN. > >>>>>> > >>>>>> However, for one machine I made a general rule to accept all > >>>>>> connections: > >>>>>> > >>>>>> -A INPUT -s 192.168.1.60 -j ACCEPT > >>>>>> > >>>>>> After restarting the firewall, > >>>>>> > >>>>>> I still am unable to ping that machine and it is unable to ping me. > >>>>>> That machine is not running a firewall. > >>>>>> > >>>>>> I can ping the router and another machine I have on the LAN. > >>>>>> The machine at 192.168.1.60 can do the same. > >>>>>> > >>>>>> What else do I need to do to be able to talk to machine 192.168.1.60 > >>>>>> and it to my fedora machine? > >>>>> > >>>>> Try: > >>>>> > >>>>> -A INPUT -s 192.168.1.60/32 -j ACCEPT > >>>>> > >>>>> there needs to be a netmask in the syntax. > >>>> > >>>> Tried it. > >>>> Did not change anything :( > >>> > >>> Could we see more of the network topology please? > >>> > >>> Can you do on both machines: > >>> /bin/netstat -rn > >> > >> On Fedora Machine: > >> # /bin/netstat -rn > >> Kernel IP routing table > >> Destination Gateway Genmask Flags MSS Window irtt > >> Iface > >> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 > >> eth0 > >> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > >> wlan0 > >> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 > >> eth0 > >> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 > >> virbr0 > >> 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 > >> wlan0 > >> > >> > >> On the machine in question (192.168.1.60) > >> # /sbin/netstat -rn > >> Routing tables > >> > >> Internet: > >> Destination Gateway Flags Refs Use Netif > >> Expire default 192.168.1.254 UGSc 8 0 > >> en1 127 127.0.0.1 UCS 0 0 lo0 > >> 127.0.0.1 127.0.0.1 UH 0 4 lo0 > >> 169.254 link#6 UCS 0 0 en1 > >> 192.168.1 link#6 UCS 2 0 en1 > >> 192.168.1.1 0:26:18:6:ef:7 UHLW 0 113 en1 > >> 566 192.168.1.60 127.0.0.1 UHS 0 0 lo0 > >> 192.168.1.254 0:1d:5a:c8:91:c1 UHLW 15 153 en1 > >> 565 > >> > >> Internet6: > >> Destination Gateway > >> Flags Netif Expire > >> > >> ::1 link#1 > >> > >> UHL lo0 > >> fe80::%lo0/64 fe80::1%lo0 > >> Uc lo0 > >> fe80::1%lo0 link#1 > >> UHL lo0 > >> ff01::/32 ::1 > >> U lo0 > >> ff02::/32 fe80::1%lo0 > >> UC lo0 > >> > >>> /sbin/ifconfig > >> > >> On Fedora machine: > >> > >> # /sbin/ifconfig > >> eth0 Link encap:Ethernet HWaddr 00:03:0D:15:2B:9E > >> > >> inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0 > >> inet6 addr: fe80::203:dff:fe15:2b9e/64 Scope:Link > >> UP BROADCAST MULTICAST MTU:1500 Metric:1 > >> RX packets:1340 errors:0 dropped:0 overruns:0 frame:0 > >> TX packets:849 errors:0 dropped:0 overruns:0 carrier:0 > >> collisions:0 txqueuelen:1000 > >> RX bytes:174589 (170.4 KiB) TX bytes:418153 (408.3 KiB) > >> Interrupt:19 Base address:0xd800 > >> > >> eth0:0 Link encap:Ethernet HWaddr 00:03:0D:15:2B:9E > >> > >> inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 > >> UP BROADCAST MULTICAST MTU:1500 Metric:1 > >> Interrupt:19 Base address:0xd800 > >> > >> lo Link encap:Local Loopback > >> > >> inet addr:127.0.0.1 Mask:255.0.0.0 > >> inet6 addr: ::1/128 Scope:Host > >> UP LOOPBACK RUNNING MTU:16436 Metric:1 > >> RX packets:4734603 errors:0 dropped:0 overruns:0 frame:0 > >> TX packets:4734603 errors:0 dropped:0 overruns:0 carrier:0 > >> collisions:0 txqueuelen:0 > >> RX bytes:373719874 (356.4 MiB) TX bytes:373719874 (356.4 > >> MiB) > >> > >> virbr0 Link encap:Ethernet HWaddr 22:3E:A6:BB:CD:51 > >> > >> inet addr:192.168.122.1 Bcast:192.168.122.255 > >> > >> Mask:255.255.255.0 > >> > >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > >> TX packets:8391 errors:0 dropped:0 overruns:0 carrier:0 > >> collisions:0 txqueuelen:0 > >> RX bytes:0 (0.0 b) TX bytes:1617830 (1.5 MiB) > >> > >> wlan0 Link encap:Ethernet HWaddr 00:34:56:00:03:43 > >> > >> inet6 addr: fe80::234:56ff:fe00:343/64 Scope:Link > >> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > >> RX packets:4976669 errors:0 dropped:0 overruns:0 frame:0 > >> TX packets:4947232 errors:0 dropped:0 overruns:0 carrier:0 > >> collisions:0 txqueuelen:1000 > >> RX bytes:1062494718 (1013.2 MiB) TX bytes:500756007 (477.5 > >> MiB) > >> > >> wlan0:0 Link encap:Ethernet HWaddr 00:34:56:00:03:43 > >> > >> inet addr:192.168.1.108 Bcast:192.168.1.255 > >> Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 > >> Metric:1 > >> > >> On 192.168.1.60: > >> # /sbin/ifconfig > >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > >> > >> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 > >> inet 127.0.0.1 netmask 0xff000000 > >> inet6 ::1 prefixlen 128 > >> > >> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 > >> stf0: flags=0<> mtu 1280 > >> en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > >> > >> ether 00:11:24:7e:2d:c8 > >> media: autoselect (none) status: inactive > >> supported media: none autoselect 10baseT/UTP<half-duplex> > >> > >> 10baseT/UTP<full-duplex> 10baseT/UTP<full-duplex,flow-control> > >> 10baseT/UTP<full-duplex,hw-loopback> 100baseTX<half-duplex> 100baseTX > >> <full-duplex> 100baseTX<full-duplex,flow-control> 100baseTX > >> <full-duplex,hw-loopback> 1000baseT<full-duplex> 1000baseT > >> <full-duplex,flow-control> 1000baseT<full-duplex,hw-loopback> > >> fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078 > >> > >> lladdr 00:11:24:ff:fe:7e:2d:c8 > >> media: autoselect<full-duplex> status: inactive > >> supported media: autoselect<full-duplex> > >> > >> en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > >> > >> inet 192.168.1.70 netmask 0xffffff00 broadcast 192.168.1.255 > >> ether 00:11:24:92:bc:e0 > >> media: autoselect status: active > >> supported media: autoselect > >>> > >>> If you don't mind, it might be easiest to copy your filewall > >>> rules so we can see them. As root, > >>> /sbin/iptables -L -v > >> > >> Sorry. I cannot expose my FW settings to a public list because > >> they might contain weaknesses that someone could exploit. > >> > >>> If you are concerned with security and sharing your public IP address, > >>> may I suggest changing the public IP address ranges to something else, > >>> like xxx.xxx.xxx.0, yyy.yyy.yyy.0, etc, in the output. > >> > >> Actually, I have no public IP addresses in the rules. > >> > >>> Another question...if you have multiple ethernet devices, > >>> which device is 192.168.1.60 connected to? > >> > >> en1 (this is a Powerbook g4 running OS X 10.5.8). > > > > Both Fedora and the Powerbook can ping the default gateway, > > 192.168.254.1 ? > > > > The Powerbook entries confuse me. > > According to the Powerbook netstat -rn, I would expect an interface, > > 192.168.1.60/some mask > > > > When I look at the Powerbook ifconfig, I see > > en1: ... inet 192.168.1.70 netmask 0xffffff00 ... > > I expected this entry to read inet 192.168.1.60 netmask 0xffffff00 > > > > Can I suggest, for a test, change the iptables filters to allow any > > incoming packet from 192.168.1.0/24, and then, try to ping from > > the Powerbook. Also, you might wish to check the ARP table on > > Fedora to see what IP address/Mac address entries it knows about. > > As root, try /sbin/arp -a > > I am interested to know, after the attempted ping from the Powerbook, > > what IP address/Mac entry is found, if any, in the Fedora. > > I added the rule > -A INPUT -s 192.168.1.0/24 -j ACCEPT > and retried. > Same thing. > both machines can ping the GW, and they can ping a third machine I have > on the LAN. > But they cannot ping each other. > I also brought the fedora firewall down, and retried to ping Fedora > from Powerbook. No go!! Interesting. Let me recap so I understand. 1) Only wireless links are active on the Fedora and the Powerbook. 2) the Powerbook wifi is interface en1; the Fedora wifi is wlan0 (wlan0:0) 3) both the Fedora and Powerbook can ping the gateway through the wifi. 4) From the above, a third machine is "on the LAN". I get this idea because of the phrase above, "they can ping a third machine I have on the LAN." This LAN is a wired, ethernet network, connected to the gateway. I need someone to chime in to help me understand wifi bridging better. This setup sounds like wifi bridge mode as opposed to wifi ad-hoc mode. Question: in wifi bridging, does the packet from the Powerbook, which is destined for the Fedora, go through the gateway, or can the packet still go directly from the Powerbook to the Fedora? If the answer is the former, I would ask why the gateway doesn't relay the packet to the Fedora. if the answer is the latter, I would assume we should see entries in the ARP tables, in both machines, for the other device in question, and would ask what are the ARP entries in both the Fedora and the Powerbook. Could you tell us the make/model of the gateway please. I read, on the Internet, different wifi gateways have different capabilities. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines