please help with sunscreen configuration

Archived from groups: comp.security.firewalls,comp.sys.sun.admin (More info?)

I have a Sparc box running Sunscreen on Solaris 9 doing nat (and some packet
filtering) between my single official IP address and two local private
nets. I have one DYNAMIC nat rule which handles the setup just fine:

> 1 DYNAMIC "inside" "Internet" "outsideip" "Internet"

additionally, I want some services running on a machine called "douglas"
which is on one of the private networks, be accessible from the outside
Internet. so I added another nat rule to handle just that:

> 2 STATIC "Internet" "outsideip" "Internet" "douglas"

this works, too - at least as it comes to "douglas" being accessible.
however, when this second nat is active, the screen itself can no longer
contact addresses in the Internet. All other machines on the private nets
still can, and the screen itself can contact the private machines, too. It
just doesn't connect outside - I want it at least to be able to ping the
cable modem and maybe do DNS lookups.

Here are some of my address entries:

> "douglas" HOST 192.168.0.2
> "inside" GROUP { "qfe1.net" "qfe2.net" } { }
> "Internet" GROUP { "*" } { "inside" "localhost" }
> "outsideip" HOST 80.xxx.xx.xx (=my public IP address on qfe0)

Can anyone out there please give me a clue?

cheers
Heimo


--
l'essentiel est invisible pour les yeux.