dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1771
share rss forum feed

ZW_Joe

join:2005-10-08
San Anselmo, CA

Zywall USG 100 - 1st Firewall rule won't work

I have no idea what I did to break this.

I normally turn off WAN1 to break the active sessions before I turn off the the very 1st firewall rule allowing partners in to our web service. Then I quick like a bunny do the routine db maintenance and turn everything back on. And up until earlier this evening its been working without a hiccup.

Now I'm seeing nothing but rule 18 denying all. I have no I ideal what is going on.

I've rebooted, reloaded the config files. Even deleted the firewall rules and remade them. Still skipping 1-17 and punching everyone out.

Any ideas? Or, did I finally break it?


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Without a screenshot of the fw rules, its hard to say and what is the log indicating.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to ZW_Joe
If all else fails, it should be possible using the directions (that I don't have at hand) to restore the original firmware condition as manufactured, upgrade in stages, and then reload the latest config file. A pain, to be sure, but unless the hardware is broken, it should work.

Perhaps as an intermediate step, reinstall just the latest firmware over itself and reload the latest config file.

kirby

ZW_Joe

join:2005-10-08
San Anselmo, CA
reply to ZW_Joe
Well, not sure what I did that was actually different, but just got things kinda back to normal. Didn't have to go back to factory reset (whiskey bottle was near by though.) I went through my downloaded configs and tried the second to last one I had saved and this seemed to clear mostly everything.

Only issue now is I can't get from LAN1 (home stuff) to LAN2 (business stuff.) This is one thing I've never really had an easy time with. From what I understand out of the box it's supposed to allow the LANs see each other, but I've had to create rules to allow this, but what I have isn't working.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Well If I have time I would be happy to remote in and see what your doing. Just not tonight.

Kirby Smith

join:2001-01-26
Derry, NH
Reviews:
·Fairpoint Commun..
reply to ZW_Joe
In other words, if you had a PC at 192.168.1.100 on LAN 1 and another PC at 192.168.2.150 on LAN 2, you couldn't ping or otherwise connect from one to the other? If not, then a pair of firewall rules allowing any protocol from LAN 1 to LAN 2 and LAN 2 to LAN 1 should work. These rules have to precede any blocking rules.

kirby

ZW_Joe

join:2005-10-08
San Anselmo, CA
Weird. After removing the Firewall rule (LAN1 to LAN2) and re-added it, BINGO - it works! Not sure why this was hiccuping, given I hadn't changed this rule in a year.

Thanks for the prompt to look at this again.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Order of rules is very important and perhaps by adding it back in, its now at the right spot order wise.

ZW_Joe

join:2005-10-08
San Anselmo, CA
No. Same spot as before. I moved it after I created it.

Not sure if WAN to LAN rules should be before LAN or DMZ rules, but that's what I've have had since the beginning.

In general this is the order of things:
WAN -> LAN (allow)
LAN -> LAN (allow)
WAN -> ZyWall (allow) - I turn off most of the time.
WLAN -> Inactive, nothing connected
DMZ - > Inactive, nothing connected
LAN -> LAN (deny)
WAN -> LAN - (deny)
WAN -> Zywall (deny)
Any -> Any (deny)

I block everything but trusted IPs, and most of the deny rules are factory settings.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Too funny, actually the order on the TOTAL list is not important as the lists do not cross each other, this view is simply to have a global view on all the rules. Whats important is the order within each subj list, meaning for example within WAN to LAN.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
reply to ZW_Joe
Why don't you post output from CLI show firewall any any and let's have a look together.