[techtalk] Solution to connectivity problem & Thank you!

[C. M. Martin]

Hi, everyone,

All is working here now.  The opinion of the engineer I was working with is
that the first netstat entry *is* wrong, since the address is outside the
bounds of our network, but it isn't affecting anything, and my attempts to
delete and correct the entry with the route command fail.  Since it really
doesn't break anything, we're going to worry about it later.

The problems were, as I suspected, simple and stupid.  I had forgotten to add a
forward -j ACCEPT line for the server on the DMZ to ipchains.  I put one line
allowing everything, and suddenly everything worked.  Needless to say, I need
to replace it with specific lines only allowing specific ports.  Yikes!  Once
that was fixed, tracert (the NT version of traceroute), ping, and so on all
worked.

Problem two (equally stupid) is the NetBIOS is *not* routeable, and I was trying
to route authentication through the firewall.  Duh!  I needed to dual home the
DC and turn IP forwarding off on that box so that it can't be used to do an
end-around to get past the firewall.  Consider it another limitation of how
Microsoft chose to do NT authentication. (Like, who needs domains on more than
one network and only one or two domain controllers, right?   I mean, we
all know you should buy at least one extra NT box for each net , don't we?
 Yuck!)  Geez, I *knew* this, but forgot about.  I've been thinking *nix and not
thinking Microsoft.

Anyway, we've got it, and all is well.  I just have a pounding headache from
hitting my head against the wall like an idiot.  I should have known better!

Oh, and whoever recommended gfcc as the graphical interface for the firewall: 
THANK YOU!  It doesn't do everything we'd like, but it's got most of it and my
Windows-oriented clients can work with it.

Best,
Caity

Caitlyn M. Martin
NetFerrets
caitlyn at netferrets.net