I would first look at the filter definitions. Firewall-1 shuts out all
packets to itself by definition, and then everything you want through
must be explicitly defined.
This may mean in your case that you have to have the filters written and
saved on another machine, and then tested on your configuration.
On my config for example, the first three (or so, I'm not looking at the
moment) rules deal strictly with what communication the firewall machine
itself needs in order to be managed. These filters were written with the
firewall itself being its own management station with rpc and openwindows
turned on. Once the machine was demonstrably stable, we then moved the
management to the end target machine, and started sanitizing the firewall
itself, checking for stability all along the way.
You might start by looking with a network analyzer to see what packets
are being sent to the firewall (and probably ignored/discarded) as a means
of figuring out what needs to be allowed.
Good luck,
BobK
|
|
