Well thank you for your advice, I was trying to be lazy and not have to do it by hand for as long as possiable not so many hours in a day sigh. Time to dust off the ol' Linux Firewall Book and take a look at your web page. At least this problem I can work on during work since it is because of them I am having this problem. I upgraded our Checkpoint Firewall to the newist version and all of a sudden my firewall that I NAT through from my windows box can no longer talk to our checkpoint firewall using checkpoint client vpn tools. I know nothing on my end changed and of course Checkpoint can't help.
Jamin W.Collins wrote: >On Wed, 25 Sep 2002 10:16:04 -0400 Quenten Griffith <[EMAIL PROTECTED]> >wrote: > > > >>Ok your crazy...........using Fwbuilder if you want to use an option >>called "log all dropped traffic" you need to have the drop table patch >>applied to your kernel. >> >> > >Ahhh... you didn't indicate that it was a limitation of Fwbuilder that was >causing the need. It is a simple matter to log all dropped packets under >iptables and doesn't require the "drop table patch". This is of course >assuming that the firewall was designed with this in mind. However, I'm >not familiar with Fwbuilder specifics. Here's an overview of how you >could go about this from a normal iptables perspective. > >For each table (nat, filter, and mangle) create a new chain, call is >something like <table>_drop (i.e. filter_drop). Then add two rules to >these new chains, one to log the packet and one to drop the packet. Then >any time you would have used the DROP target in a give table instead use >the <table>_drop chain as your target instead. Additionally, make sure >that your default policies for all default chains in a table are set to >DROP and that the last rule in each of the default chains is a LOG target. > Now, any packet that is dropped will be logged just prior to being >dropped. > >I implement something very similar to the above in the script I maintain >(http://asgardsrealm.net/linux/firewall). > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
