|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] packets sent to 224.0.0.1
Hi the ip_respond_to_echo_broadcast is set to 1 on both the fw-1 machine and the EFS machine. Interestingly, we have another Sun mail cluster sitting behind a fw-1 stonebeat fullcluster installation. In this instance I see echo-request to 224.0.0.1, but no reply coming from the fw-1. However, the mail cluster doesn't complain about anything! > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Luke, Jason (ISS Southfield) > Sent: Thursday, February 22, 2001 5:02 PM > To: '[email protected]'; [email protected] > Subject: RE: [FW1] packets sent to 224.0.0.1 > > > > First thought, create a network object for 224.0.0.1, and > allow the firewall > to talk ANY to it, as a test. If it works, restrict it to what is > necessary. > > If it doesn't work, it is probably an OS problem, and not a firewall > problem. > This is merely a shot in the dark, as I really haven't worked > with this > scenario much, but could the kernel parameter > 'ip_respond_to_echo_broadcast' > be set to 0, thereby stopping the Solaris box from replying? > I'm not sure > if that is exactly what this kernel parameter does, but it > sounds good. > > > > -----Original Message----- > From: corne [mailto:[email protected]] > Sent: Thursday, February 22, 2001 9:00 AM > To: [email protected] > Subject: [FW1] packets sent to 224.0.0.1 > > > > Hi all > > I have a situation where 2 Sun mail servers form a cluster > behind a firewall > (fw-1 4.1 sp2, solaris 2.7 latest patches, NetraT platform). > > Each node in the cluster has 2 interfaces, in case an > interface on the given > machine fails. A node tests for failover of these interfaces > by sending ICMP > to 224.0.0.1. According to the Sun guys, this should get a > response back > from the machine's gateway, which is the fw. However, we are > not seeing > this. > > I have allowed > echo-reply,-request,icmp-proto,redirect&dest-unreach between > the mail cluster nodes, the fw and a workstation object with > ip = 224.0.0.1, > still no luck. ICMP is also switched on in the properties (*gasp*!). > > Doing a snoop on the fw's interface I can see packets from > the mail cluster > to 224.0.0.1: > > mailnode1.mydomain.bla -> ALL-ROUTERS.MCAST.NET ICMP Echo request > mailnode1.mydomain.bla -> ALL-SYSTEMS.MCAST.NET ICMP Echo request > > Is it possible to get the fw to reply to these requests? All this was > working fine until I replaced a Sun EFS firewall with the fw-1 box. > > btw: does anyone have some pointers on what the results are of sending > packets to 224.0.0.1? What kind of answers will you get from > other machines > on the network? > > Regards > Corne van Dyk > Dimension Data: Network security engineer > Tel: +27 21 659 2540 > Fax: +27 21 659 2101 > Helpdesk: +27 21 659 2112 > > > > ============================================================== > ============== > ==== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ============== > ==== > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
