On Mon, 2002-02-25 at 14:30, Steve Holmes wrote: > Actually, I can't do it from the firewall box nor the inside. One thing I > can tell for sure, I can communicate back and forth between the local > boxes but nobody can get outside with ping, traceroute, dig or any of > those good buddies. The forward chain does look identical to what you > suggested below. I need to dig into the input chain, I believe. This > package script uses an inet-in rule to set up the various permissions and > the internet device (netward card) is defaulted to this internet rule. If > allowed through, those ports are '-j ACCEPT'. But devices lo (loopback) > and LAN card (eth0 in my case) both default to input -j ACCEPT so they > should be getting through no matter what, I would think. So I'm either > missing something or there may be a bug in my implementation of ipchains. > --- OK - first things first... if you try ifconfig|less it will tell you what the configuration is for each interface...I am presuming that you have an eth0, eth1 and lo eth0 should be your public ip or your lan ip address and the eth1 should be whichever eth0 isn't. If you enter... ipchains -F input ipchains -F output ipchains -F forward ipchains -P input ACCEPT ipchains -P output ACCEPT ipchains -P forward ACCEPT you will have turned off all blocking rules - you can select the entire mess in you mail client and click with the 3rd button in a terminal window if you use KDE to keep from typing. After this rule set is in place - try to ping some easy items...your name server addresses in /etc/resolv.conf should be good ones - then try to ping www.yahoo.com for good measure (tests whether your dns client setup is good). After this works - you can implement your rule sets and then try to ping the same things - if this works, then you should be able to work thru the masquerading on your lan computers but don't bother with them until your firewall box can ping the internet freely. If your firewall computer cannot ping the internet freely after the introduction of the firewall rules then you probably need to look at these types of things... # Local interface, any source going to local net is valid. /sbin/ipchains -A output -j ACCEPT -i $INTIF -s $UNIVERSE -d $INTLAN # Loopback interface is valid. /sbin/ipchains -A output -j ACCEPT -i $LOOPBACKIF -s $UNIVERSE -d $UNIVERSE # Enabling all input REPLY (TCP/UDP) traffic on high ports." /sbin/ipchains -A input -j ACCEPT ! -y -p tcp -s $UNIVERSE -d $EXTIP 1025-65535 The first 2 allowing stuff out is necessary and the last one - allowing replies back in is necessary. This all is too tough - I would HEAVILY recommend that you use something intelligently worked through... This is David Ranch's strong rulesets for TrinityOS. They are comprehensive and easy enough to track. Craig