[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference noted::seal

Title:	SEAL

Moderator:	GALVIA::SMITH

Created:	Mon Mar 21 1994
Last Modified:	Fri Jun 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1989
Total number of notes:	8209

1908.0. "Problems subnettting 10.x.x.x in screend" by EEMELI::HJONSSON (Ebbe Jonsson) Tue Apr 08 1997 07:25

Greetings & hallucinations!

I've been trying to set up screend to allow access to a subnetted
(255.255.255.0) 10.0.0.0 network (10.4.115.0), but can't seem to get it to work.
Has anyone done this using a class A or class B network?

It does work if I use the 10.0.0.0 network as a net (between net 10.0.0.0 and
...), but not if I use the actual 10.4.115.0 subnet. And yes, the subnet spec is
in the screend.conf file.

The docs seem to indicate that it's OK to use subnets once they're declared, and
the screend.conf file is happily accepted by screend; but once in operation,
packets to the 10.4.115.0 subnet aren't recognized.

Rgs,

	[email protected]

T.R	Title	User	Personal Name	Date	Lines
1908.1	It's not just only A class networksthat are affected	EEMELI::HJONSSON	Ebbe Jonsson	`Fri Apr 11 1997 04:05`	6
	The same problem persists for B class networks subclassed into C class networks using netmask 255.255.255.0. Rgs, [email protected]
1908.2	Check netmask specification...	STAR::WALD		`Fri Apr 11 1997 10:22`	23
	I don't know if this is your problem, but something to watch out for with screend is if you are using something like: # for 10.4.115.0 netmask is 255.255.255.0; between any and subnet 10.4.115.0 udp port 53 accept log; default reject log; # This will never work. The netmask specification statement expects a valid network address, which 10.4.115.0 is not (it is of course a subnet address). In my opinion, screend should issue an error message if you try to use something like the above. The right way to accomplish the desired result is: # for 10.0.0.0 netmask is 255.255.255.0; between any and subnet 10.4.115.0 udp port 53 accept log; default reject log; # Hans.
1908.3	Eureka??? Tunnel on firewall.	OSL09::BJORNMY	Open but Secure	`Tue Apr 15 1997 03:51`	23
	Some time ago a customer of ours and I tried independently to configure a tunnel server on a firewall, but neither of us could get it working. Questions in this conference and discussion with others have not resolve this problem, althrough some has said that "we have set it up with no problems". .2 gave me an "Eureka!" feeling yesterday. Following "the book" we had used the following screend.conf: default reject notify log; for 10.2.1.0 netmask is 255.255.255.0; from interface blue to subnet 10.2.1.0 accept; from subnet 10.2.1.0 to interface blue accept; According to .2 the second line should have been: for 10.0.0.0 netmask is 255.255.255.0; I have not tested this yet, but hope to do so during the week. I will keep you posted on the result. (If this works, the installation procedure in the manual should contain a warning!) Bj�rn
1908.4	.2 works	EEMELI::HJONSSON	Ebbe Jonsson	`Tue Apr 15 1997 05:23`	7
	The procedure suggested by STAR::WALD in .2 does work (thanks, Hans!). The man pages are indeed a bit misleading, as they talk about 'subnet mask specification' not 'network mask specifications'. Rgs, [email protected]
1908.5	.2 also works with fw/tunnel	OSL09::BJORNMY	Open but Secure	`Mon Apr 21 1997 07:35`	4
	.2 works also for tunnel and firewall on same machine. Thanks a lot, Hans! Bj�rn