Answers in this category:
How do I setup Traffic Rerouting (port forwarding)?
How do I enable NAT?
I have more than one NIC in my NetMAX machine, how do I enable routing between them?
How can I get ICQ to work behind my NetMAX firewall?
How do I setup port forwarding (on FreeBSD)?
Why does a route I entered not get created, even though NetMAX doesn't give me any errors?
Why does my telnet session through my NetMAX FireWall time out?
Can I specify certain URLs that I don't want cached?
Are SSL-secure websites cached?
How do I prevent large files from using up all of my cache space?
What services can the Proxy Caching Server handle?
How do I force my clients to use the Proxy Caching Server for accessing web services?
I can't login to a Microsoft NT Domain Conroller through a NetMAX FireWall.
Is there a more technical white paper available for my firewall?
After the nightly log truncation, my proxy caching logging stops.
My proxy caching server's logs are showing statistics from Dec 31, 1969.
My proxy cacheing server is using too much of my memory, what is wrong?
How do I interpret my FireWall(kernel) logs?
Do the L2.2Pv3.x FireWall products include Traffic Rerouting?
CGIs won't work through my NetMAX proxy. What can I do?
I locked myself out of NetMAX with firewall rules. What can I do?
My traffic rerouting isn't working what can I do?
How do I get my Proxy Cacheing Server to listen on multiple addresses?

Applies to:
  NetMAX Version 2.2
  NetMAX 3.0 - 4.0x: Please see the user's manual

1. You're running version L22Pv2.2 of NetMAX Fire Wall or Professional.
2. Your NetMAX Fire Wall has two NICs where the "external" NIC has a Internet routeable static IP address, and the internal NIC has a private IP address of 192.168.0.1 and a host name of netmax.
3. You want to forward web traffic (port 80) coming into your network via the NetMAX to your web server that has a private IP address of 192.168.0.5 and a host name of www.
4. You want to forward ftp traffic (ports 20 & 21) coming into your network via the NetMAX to your ftp server that has a private IP address of 192.168.0.10 and a hostname of ftp.

   netmax.mydomain.com = 192.168.0.1
   www.mydomain.com = 192.168.0.5
   ftp.mydomain.com = 192.168.0.10

Here are the steps that you must take. You may already have performed some of these steps, in which case you may skip the steps that you don't need.

1. From Home|Network|Naming, enter a host name for your external network adapter, select an available domain name for the hostname, and select the external IP address from the select box. From here on, we assume that you entered router as the host name for the external network adapter.

   router.mydomain.com = [External IP address]

2. Click on the plus symbol (Add item to list).
3. Click on STORE, to store the changes.
4. From Home|Network|Machines, click on CREATE.
5. Type www in the Name field, and 192.168.0.5 in the IP Addresses field.
6. Click on the plus symbol (Add item to list) to add the IP address.
7. Click on STORE, to store the changes.
8. From Home|Network|Machines, click on CREATE.
9. Type ftp in the Name field, and 192.168.0.10 in the IP Addresses field.
10. Click on the plus symbol (Add item to list) to add the IP address.
11. Click on STORE, to store the changes.
12. Click on COMMIT, and commit the changes.
13. From Home|Network|Traffic Rerouting, click on CREATE.
14. Enter:

    Incoming Address and Port: router.mydomain.com 80
    Redirect To: www.mydomain.com 80

15. Click on the plus symbol (Add item to list) next to the port number.
16. Click on RETURN.
17. Click on CREATE.
18. Enter:

    Incoming Address and Port: router.mydomain.com 21
    Redirect To: ftp.mydomain.com 21

19. Click on the plus symbol (Add item to list) next to the port number.
20. Click on RETURN.
21. Click on STORE, to store the changes.
22. Click on COMMIT, and commit the changes.

DON'T FORGET TO SET THE DEFAULT GATEWAY ON YOUR FTP AND WEB SERVER TO BE THE INTERNAL IP ADDRESS OF YOUR NETMAX (192.168.0.1).

Then for the clients to access these services, they will actually want to use the NetMAX's public IP address and appropriate port.

Each time you add an incoming and redirection address, you are telling NetMAX to redirect all UDP and TCP traffic for that incoming port.

Notes: Traffic Rerouting is only available from NetMAX L22Pv2.2 Fire Wall and Professional and it only works on traffic coming in through the defined external address and port, so it will only work on traffic coming in through the external interface (more than likely this means that you'll need to test it from another network).

NetMAX Version 3.0 and above also include a traffic rerouting feature, but it is available from the Reroute tab in Home|Network|Routing. Please see your user manual for further instructions.

1. From Home|Network|Interfaces, click on the pencil icon next to the network interface where you want OUTBOUND traffic to be translated (more than likely, this will be your external interface).
2. Check the box that says "Enable IP Network Address Translation (NAT)".
3. Click on STORE to store your changes.
4. Click on COMMIT and then COMMIT again to commit the changes.

NAT does OUTBOUND traffic translation on forwarded (routed) IP packets.

You will only be able to enable NAT on one interface, and it will automatically do NAT for multiple internal networks (each with it's own gateway interface on the NetMAX)

If you need to do NAT on more than one outbound interface, then you will not want to use the check box above, as it will not suit your needs. Instead, you'll need to create some custom FORWARD firewall rules with IPMASQ enabled. More information on this is available in the here.
address-suppressed

L2.2Pv2.1

There is a problem with NetMAX Fire Wall/Professional version L2.2Pv2.1 where routing between networks is disabled by default, not allowing NetMAX to act as a router.

To enable routing (if your route table allows it), type the following command at the command line:

echo 1 > /proc/sys/net/ipv4/ip_forward

You can also ensure that this is enabled whenver your NetMAX machine is rebooted by adding this command to your /etc/start_if.generic file. Make sure that you enter the command below the line containing the command "/usr/netmax/etc/rc.d/natd.sh restart". Routing will then be enabled whenever you reboot the NetMAX server. This problem only applies to NetMAX L22Pv2.1 and can also be resolved by installing the L22Pv2.2 upgrade which is available at http://www.netmax.com/support/downloads.html

L2.2Pv3.x

In the interest of security, NetMAX FireWall/Professional version L2.2Pv3.1 and later only forwards traffic between "known" network interfaces (by default). This means that routing between all network interfaces will work fine; however, traffic with a source or destination address not on any of those known networks will not be forwarded (routed). This means that if you are using your NetMAX as a gateway to the Internet, more than likely you will be able to route traffic from your internal network to your ISP's network, but not past your ISP's network.

Although this is intended, it is was not documented in the manual.

The easy way to do this is to change your default forward policy to accept which will allow all traffic (traffic with a source or destination address on other networks) to use your router, you will want to issue the following commands from the command line, logged in as root:

echo /sbin/ipchains -P forward ACCEPT >> /etc/rc.firewall.local

chmod +x /etc/rc.firewall.local

/etc/rc.firewall.local

The more secure method would be to add custom firewall forward rules to each interface that will statically allow the routing between the two network cards for all traffic.

If you are doing NAT, no forward rules are created by default. So if you have more than one internal network interface, routing between the internal networks will not be allowed, by default. So you will have to manually create custom forward rules, or change the default forward policy, same as above.

L2.4Pv4.0x

In the interest of security, NetMAX FireWall/Professional version L2.2Pv3.1 and later only forwards traffic between "known" network interfaces (by default). This means that routing between all network interfaces will work fine; however, traffic with a source or destination address not on any of those known networks will not be forwarded (routed). This means that if you are using your NetMAX as a gateway to the Internet, more than likely you will be able to route traffic from your internal network to your ISP's network, but not past your ISP's network.

Although this is intended, it is was not documented in the manual.

The easy way to do this is to change your default forward policy to accept which will allow all traffic (traffic with a source or destination address on other networks) to use your router, you will want to issue the following commands from the command line, logged in as root:

NetMAX 4.x uses iptables instead of ipchains, so the command to change the default forward policy is slightly different from L2.2Pv3.x. Please note that we strongly recommend creating custom firewall rules for forwarding instead of changing the default forward policy. Custom firewall rules are more secure, will be backed up with the NetMAX configuration backup, do not require command line access, and will be retained during upgrades.

echo /sbin/iptables -P FORWARD ACCEPT >> /etc/rc.firewall.local

chmod +x /etc/rc.firewall.local

/etc/rc.firewall.local

The more secure method would be to add custom firewall forward rules to each interface that will statically allow the routing between the two network cards for all traffic.

If you are doing NAT, no forward rules are created by default. So if you have more than one internal network interface, routing between the internal networks will not be allowed, by default. So you will have to manually create custom forward rules, or change the default forward policy, same as above.
address-suppressed

1. Open the ICQ Menu and select "Preferences"
2. Select the "Connection" tab.
3. Select the button "I am behind a firewall or proxy."
4. Then press the "Firewall Settings" button.
5. On the "Firewall Settings" window that should be in front of you, select "I don't use a SOCKS Proxy server on my firewall or I am using another Proxy server."
6. Select the "Next" button.
7. The next screen should have a section for "TCP Port Allocation". Select "Use the following TCP listen pots for incoming events"
8. In the "From" box enter "10000", in the "To" box enter "11000".
9. Click the "Next" button and make sure your ICQ is Disconnected (off-line).
10. Click on the "Check my Firewall/Proxy Settings" button to verify that everything is configured correctly for you.
11. If successful, click the "Done" button

However, we believe that the following command line settings using natd may provide the port forwarding functions. These settings have not been completely tested and are provided as a courtesy to you. Feedback and/or questions regarding it are welcome.

If you have NAT enabled on the NetMAX, then it is simple to create rules to redirect incoming and outgoing IP traffic when using the NetMAX as a router.

For example, if you wanted to have all accesses to the NetMAX's web server redirected to another machine's web server, you'd need three firewall rules (you can add these to the rc.local file):

ipfw add 10 divert natd tcp from otherwebserver 80 to any
ipfw add 11 divert natd tcp from any            to otherwebserver 80
ipfw add 12 divert natd tcp from any            to netmaxIP       80

Also, you'll need to edit the /etc/natd.conf file and add a line that reads:

redirect_port tcp otherwebserver:80 80

Then run:

kill `cat /var/run/natd.pid` && natd -f /etc/natd.conf

Feel free to contact us if you have further comments or questions.
address-suppressed

For example:
Dest=10.8.2.2
Netmask=255.255.255.0
Router=192.168.8.1

This would be invalid because a Class C (255.255.255.0) network always has a network that ends in x.x.x.0, this example shows a computer on the network and not the network itself.

This would work if the following were entered:
Dest=10.8.2.0
Netmask=255.255.255.0
Router=192.168.8.1

You would now be able to reach the computer 10.8.2.2 through router 192.168.8.1
address-suppressed

This timeout is to prevent you from running out of available ports to use for NAT.

The NetMAX interface does not include a feature that would allow you to adjust the timeout, however you are free to adjust it.

You may want to read the man pages for ipchains, especially the -S parameter, and also our Knowledge Base article located at:

http://www.netmax.com/fom/cache/266.html
address-suppressed

If you wish to manually maintain the configuration file for the Squid proxy server, you may find it located at /etc/proxycache.conf

If you make manual changes to the file, please also see the article located at: http://www.netmax.com/fom/cache/266.html
address-suppressed

This is Internet standard behavior.
address-suppressed

In general, the smaller the size, the faster the cache will respond. The larger the size, the less bandwidth you will use. You should find yourself a happy medium.

This is explained in the Online Documentation and in the User Manual.

This is explained in the Online Documentation and User Manual.

Although it is not mentioned, the NetMAX should be capable of also proxying Gopher and WAIS traffic.
address-suppressed

Because of the large number of client requests needed to actually make a proxy caching server pay off in the way of speed versus just routing the requests directly to the content servers, it has quickly become popular for smaller organizations to use them more for their additional features, such as controlling access to content servers.

The decision to force your clients to use the proxy server for FTP and HTTP services can be implemented in many ways. The easiest way may be to implement some firewall rules.
address-suppressed

"A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available."

"Could not find domain controller for this domain."

The error messages and conditions may not be consistent even though you may still be able to sucessfully redirect a drive across the NAT, and browse across the NAT.

The reason why this does not function, is because the source IP address in the NetBIOS header will not be translated with IP NAT.

More information on this is available on Microsoft's web site, in Knowledge Base Article ID: Q172227.
address-suppressed

• All linux versions of NetMAX
• Discussion of ipchains only applies to NetMAX version 2.0 - 3.2
• NetMAX 4.0x uses iptables

This tutorial assumes basic networking knowledge.

The NetMAX firewall is a packet filtering firewall. This means that as each IP packet is processed by the kernel, only the IP characteristics are examined without state or content examination. The IP characteristics include one or more of the following:

• Source IP Address and netmask
• Destination IP Address and netmask
• Protocol (i.e., TCP, UDP, esp)
• Port (if applicable)

Under Linux, firewalls rules are broken into three categories:

• Input
• Forward
• Output

Technically, a command-line user can create more categories, but this functionality is not supported.

Each category of firewall rules contain a separate list of characteristics which are used to determine if an action should be taken on the IP packet. Actions include:

• Allow
• Deny
• Masquerade (only for the forward category)

The list of characteristics are applied in the order that they are defined within the kernel (therefore giving the first rule the highest priority, the second the next priority, and so on). When the kernel examines the IP characteristics of an IP packet, the list of characteristics is examined until there is a match. If there is no match, no rule is applied. For the following examples, let us define three input rules with the following priorities, characteristics, and actions:

1. Source: 192.168.0.0/24, Destination: anywhere, Action: allow
2. Source: 10.1.1.0/24, Destination: 10.2.2.0/24, Action allow
3. Source: anywhere, Destination: anywhere, Action: deny

Example 1:

Incoming packet with Source: 192.168.0.1, Destination: 192.245.33.1

RESULT: Input Rule #1 applies, therefore the IP packet is ALLOWED.

Example 2:

Incoming packet with Source: 192.168.199.1, Destination: 192.245.33.1

RESULT: Input Rule #3 applies, therefore the IP packet is DENIED. This is because neither #1 nor #2 apply to this packet.

Example 3:

Incoming packet with Source: 10.1.1.1, Destination: 192.245.33.1

RESULT: Input Rule #3 applies, therefore the IP packet is DENIED.

Example 4:

Incoming packet with Source: 10.1.1.45, Destination: 10.2.2.99

RESULT: Input Rule #2 applies, therefore the IP packet is ALLOWED.

We can get more specific by including more IP characteristics. For the following examples, let us define input rules are follows:

1. Source: 192.168.0.0/24, Destination: anywhere, Protocol: TCP, Port: 23, Action: deny (block TCP traffic for telnet)
2. Source: 10.1.1.0/24, Destination: 10.2.2.0/24, Protocol: ddp, Action deny (ddp is for AppleTalk)
3. Source: anywhere, Destination: anywhere, Action: allow

Example 1:

Incoming packet with Source: 192.168.0.1, Destination: 192.245.33.1, Protocol: UDP

RESULT: Input Rule #3 applies, therefore the IP packet is ALLOWED. #1 does not apply because the protocol is not TCP.

Example 2:

Incoming packet with Source: 192.168.0.1, Destination: 192.245.33.1, Protocol: TCP, Port: 23

RESULT: Input Rule #1 applies, therefore the IP packet is DENIED.

Example 3:

Incoming packet with Source: 99.99.99.1, Destination: 88.88.88.2, Protocol: TCP, Port: 23

RESULT: Input Rule #3 applies, therefore the IP packet is ALLOWED.

Rule #3 is necessary with L22Pv3.0x because the default action (no rules apply) is to DENY the packet.

----

Rules of order

The next thing to understand about Linux firewalls is the order that categories are processed: Input, Forward, and then Output. Therefore, as a packet is received by the kernel, input rules are checked first, forward rules second, and output rules last.

From the IPCHAINS-HOWTO http://metalab.unc.edu/pub/Linux/docs/HOWTO/IPCHAINS-HOWTO

          ----------------------------------------------------------------
          |            ACCEPT/                              lo interface |
          v           REDIRECT                  _______                  |
  --> C --> S --> ______ --> D --> ~~~~~~~~ -->|forward|----> _______ -->
      h     a    |input |    e    {Routing }   |Chain  |     |output |ACCEPT
      e     n    |Chain |    m    {Decision}   |_______| --->|Chain  |
      c     i    |______|    a     ~~~~~~~~        |     | ->|_______|
      k     t       |        s       |             |     | |     |
      s     y       |        q       |             v     | |     |
      u     |       v        e       v            DENY/  | |     v
      m     |     DENY/      r   Local Process   REJECT  | |   DENY/
      |     v    REJECT      a       |                   | |  REJECT
      |   DENY               d       --------------------- |
      v                      e -----------------------------
     DENY

This makes it possible to receive a packet with a particular set of characteristics but not send one with the same.

----

Forwarding rules

Assuming the input rules are such that the input rules allow a packet to continue to be checked for its characteristics, the forwarding list of rules will be applied. Forwarding rules have two mode: plain and masquerade. For a "plain" forward rule, the source IP address remains unchanged and for a "masquerade" forward rule, the srouce IP address is changed to that of the network interface which is receiving the packet.

The most commonly used forwarding rule is the basic masquerading, referred to at NAT within the NetMAX interface (this is a legecy term from the original FreeBSD version which has a "true" NAT). This rule says to forward with masquerade any UDP or TCP traffic from any address to any address. By selecting the NAT option within a network interface's interface (Home|Network|Interfaces), a forward masquerading rule is created for all traffic THROUGH the selected interface. NAT is usually enabled on the network interface which connects to the Internet so that traffic bound to an IP address not within the LAN is made to appear as if it comes from the IP address of the NetMAX on the Internet.

• If NAT is enabled, it will always be the last forward rule so that the user's manually entered forward and/or masquerade rules take precedence.

• If NAT is enabled, it become critical that appropriate rules are enabled to prevent undesired access - the NAT rule works IN BOTH DIRECTIONS (i.e., traffic from the Internet can appear as if it comes from the NetMAX firewall).

----

When are manually entered forwarding rules necessary? (Some examples)

A. You are connected to a complex network an do not want all traffic to be NAT'ted. Take this network as an example:

[10.1.1.1]     [10.254.1.1]        [192.1.1.1]
[Machine 1] <--> [Router 1  ] <--> [Router 2 ] <--> Internet
                   [192.1.1.2 ]

Machine 1: a completely internal machine
Router 1: this machine has two IP addresses, one on the completely internal network and a second on the routable 192.* address.
Router 2: this machine has only an Internet accessable address and is connected to the Internet

If Router 1 is set up with the generic masquerade rule (from anywhere to anywhere) on the 192.1.1.2 interface, then traffic from 10.* to 192.* will always appear to originate from 192.1.1.2 because its traffic will be masqueraded. In addition, traffic from 192.* (sort of excluding Router 1) to 10.* will appear to have a source address of 192.1.1.2.

It might be desirabled (for file sharing purposes, for example) to NOT masquerade the traffic to 192.* from the 10.* network. Therefore, forwarding rules can be added with the following properties:

ACCEPT FORWARD from 10.0.0.0/8 to 192.1.1.0/24 ACCEPT FORWARD from 192.1.1.0/24 to 10.0.0.0/8

Therefore, the 192 and the 10 networks can communicate without having IP addresses translated.

o Router 2 should have firewall rules which prevent access to the 10.* network. Most ISPs will not route 10.* traffic, but one can never be too careful. The NetMAX rules for "Block IP address spoofing attacks (external traffic with internal IP addresses)" automatically includes rules to block several categories of traffic which ISPs should never route.

B. You have a hybrid public/private IP network:

       Internet
          |
          |
      [192.2.2.1]
      [Router 2 ]
[192.1.1.1] [10.1.1.1]
    |            |
    |            |
[Machine 2] [Machine 1]
[192.1.1.2] [10.1.1.2 ]

In this example, the 192.* addresses are public and the 10.* addresses are private. Enabling NAT on the 192.2.2.1 interface is probably not desired because the 10.* AND the 192.1.1.* machines will be masqueraded. Therefore, we should set up manual masquerading and forwarding rules.

1. ACCEPT FORWARD from any to 192.1.1.0/24
2. ACCEPT FORWARD from 192.1.1.0/24 to any

   (these rules allow Internet access to the 192.1.1.* network

3. ACCEPT FORWARD from 10.0.0.0/8 to 192.1.1.0/24
4. ACCEPT FORWARD from 192.1.1.0/24 to 10.0.0.0/8

   (these rules allow, for example, Machine 1 and Machine 2 to communicate directly)

5. MASQUERADE FORWARD from 10.0.0.0/8 to any

(traffic destined for the Internet IS masqueraded, there should also be a rule to block traffic from 10.0.0.0/8 on the input of the 192.2.2.1 interface)

----

Interesting command-line uses of the IPCHAINS command

1. To list the current set of active rules:

   ipchains -L -n

2. To list the current input rules, output rules, and forwarding rules, respectively:

   ipchains -L input -n
   ipchains -L output -n
   ipchains -L forward -n

3. Since masquerading tracks NAT'ted connection, we can see the list of these"

   ipchains -M -L -n

----

Adding firewalls rules which cannot be defined within the NetMAX interface

Starting with L22Pv3.0, the /etc/rc.firewall script now checks for an executable file in /etc/rc.firewall.local and runs the program (probably users will want to use a "shell" script).

Example script (remember to chmod +x /etc/rc.firewall.local):

#!/bin/sh
/sbin/ipchains -M -S 3600 0 0

This sets the timeout value for TCP connections to 1 hour (60*60), the FIN and UDP connections are unchanged because of the zeros. The default is 15 minutes such that telnet sessions without traffic for 15 minutes are disconnected.
address-suppressed

When the log truncation rotates the squid proxy caching server's logs, the logging is not restarted with the correct configuration file.

The work around is to edit the /usr/netmax/bin/truncsyslog.sh file.

Edit the line that reads:

/usr/netmax/bin/squid -k rotate

So that it reads:

/usr/netmax/bin/squid -k rotate -f /etc/proxycache.conf

If you believe that the logs should not be empty, please see this article.
address-suppressed

Under Home|Services|Proxy Caching Server, the NetMAX interface shows the Cache RAM Size in MB. It is actually entered as a percentage of the available memory. So if you have 256 MB of memory available, and you enter 64, it is not going to use 64 MB of memory, it is going to use 64% of your memory (163.84). Also, your Cache Swap Size has to be larger than the Cache RAM size. So if you specify more Cache RAM than Cache Swap, your Proxy Caching Server will not restart (and there will be no message indicating the problem).

Note: The Cache Swap Size should still be specified in MB.
address-suppressed

Oct  6 15:52:15 netmax kernel: Packet log: input DENY eth1 PROTO=6 192.168.0.1:2978 10.0.0.1:139 L=60 S=0x00 I=58438 F=0x4000 T=64 SYN (#3)

This logging is done by syslog and places our firewall messages in the kernel.log because we are using kernel firewalling (using IPCHAINS).

Each "field" is seperated by a space or a colon and provides the following information:

1. Month in Mmm format (Oct)
2. Date of month (6)
3. Time in the 24 hour HH:MM:SS format (15:52:15)
4. Hostname of the machine the message occured in (netmax)
5. The system that the message is regarding (kernel;)
6. Description of what the message is regarding (Packet Log:)
7. Category of firewall rule involved (input)
8. Action of firewall rule involved (DENY)
9. Adapter that the firewall rule is on (eth1)
10. Internet Protocol involved (PROTO=6)
11. Source address and port of packet (192.168.0.1:2978)
12. Destination address and port of packet (10.0.0.1:139)
13. Length of packet (L=60)
14. Type of service (S=0x00)
15. Packet ID (I=58438)
16. Fragment Flags (F=0x4000)
17. Time to live of packet (T=64)
18. TCP flags (SYN)

Basically what this message tells us is that someone attempted to establish (SYN) a TCP (PROTO=6) connection to port 139 at 10.0.0.1 from port 2978 on 192.168.0.1. Since we know that Windows File Sharing (CIFS) uses TCP port 139, we can determine that this "person" at 192.168.0.1 was attempting to connect to any Windows shares that we had available on 10.0.0.1.

Here's a list for determining the Internet Protocol with the PROTO number:

Decimal    Keyword     Protocol                         References
-------    -------     --------                         ----------
     0                 Reserved                              [JBP]
     1     ICMP        Internet Control Message       [RFC792,JBP]
     2     IGMP        Internet Group Management     [RFC1112,JBP]
     3     GGP         Gateway-to-Gateway              [RFC823,MB]
     4     IP          IP in IP (encasulation)               [JBP]
     5     ST          Stream                 [RFC1190,IEN119,JWF]
     6     TCP         Transmission Control           [RFC793,JBP]
     7     UCL         UCL                                    [PK]
     8     EGP         Exterior Gateway Protocol     [RFC888,DLM1]
     9     IGP         any private interior gateway          [JBP]
    10     BBN-RCC-MON BBN RCC Monitoring                    [SGC]
    11     NVP-II      Network Voice Protocol         [RFC741,SC3]
    12     PUP         PUP                             [PUP,XEROX]
    13     ARGUS       ARGUS                                [RWS4]
    14     EMCON       EMCON                                 [BN7]
    15     XNET        Cross Net Debugger            [IEN158,JFH2]
    16     CHAOS       Chaos                                 [NC3]
    17     UDP         User Datagram                  [RFC768,JBP]
    18     MUX         Multiplexing                    [IEN90,JBP]
    19     DCN-MEAS    DCN Measurement Subsystems           [DLM1]
    20     HMP         Host Monitoring                [RFC869,RH6]
    21     PRM         Packet Radio Measurement              [ZSU]
    22     XNS-IDP     XEROX NS IDP               [ETHERNET,XEROX]
    23     TRUNK-1     Trunk-1                              [BWB6]
    24     TRUNK-2     Trunk-2                              [BWB6]
    25     LEAF-1      Leaf-1                               [BWB6]
    26     LEAF-2      Leaf-2                               [BWB6]
    27     RDP         Reliable Data Protocol         [RFC908,RH6]
    28     IRTP        Internet Reliable Transaction  [RFC938,TXM]
    29     ISO-TP4     ISO Transport Protocol Class 4 [RFC905,RC77]
    30     NETBLT      Bulk Data Transfer Protocol    [RFC969,DDC1]
    31     MFE-NSP     MFE Network Services Protocol  [MFENET,BCH2]
    32     MERIT-INP   MERIT Internodal Protocol             [HWB]
    33     SEP         Sequential Exchange Protocol        [JC120]
    34     3PC         Third Party Connect Protocol         [SAF3]
    35     IDPR        Inter-Domain Policy Routing Protocol [MXS1]

Sources: RFC-1700

In this new version, it is now accessed from the REROUTE tab under Home|Network|Routing. This is documented incorrectly in the manual, as the manual still refers to the L2.2Pv2.x location of Home|Network|Traffic Rerouting.

The NetMAX FireWall Retail product does not include the Traffic Rerouting feature.
address-suppressed

CGIs won't work through my NetMAX proxy. What can I do?

If you are having trouble using cgi's through your proxy you need to uncomment a few lines in some files.

In your NetMAX interface go to | Home |Personal and click on root under files management.

In root browse to this directory:
var --> conf --> sdb --> prototypes and click on the file squid.conf to edit it. Remove the "#" in front of these two lines:

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

Browse back to root. From root browse to etc and click on the file proxycache.conf to edit it.
Remove the "#" in front of these two lines:

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

Browse back to root. From root browse to:
var --> conf --> last_sdb --> prototypes and click on the file squid.conf to edit it. Remove the "#" in front of these two lines:

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

After you have made the changes to these files you will need to restart the proxy. To do so you must log in to the command line interface using telnet or logging into the console.
Once you have logged into the command line type: su [enter] and give the password for the root user.

Now that you are logged in as the root user you can restart the proxycache server by typing:

/usr/netmax/etc/rc.d/proxycache.sh restart

Now you will be able to use CGIs on computers using your proxycache.
address-suppressed

I locked myself out of NetMAX with firewall rules. What can I do?

• If you have enabled a firewall rule such as, block all traffic or a rule blocking you from logging into your NetMAX interface, follow these guidelines.
  1. You first need to log into the command line of your NetMAX system as root. The easiest way to do this is to go to the actual system itself and login through the console as root user.

     You can also log into your system using telnet (if it is not blocked by firewall rules). Login to telnet with your administrative user then enter the command su root. You will be prompted for the root password.

     After entering the root password you will be at the command prompt, which will look like this:

     [root@netmax]#

  2. You now have the ability to change the firewall rules which have locked you out.

     To change these rules you need to run a command to clear out the rules.

     Please note, running this command will temporarly shutdown Network Address Translation and temporarly remove all firewall configuration. The firewall configuration will be restored when you perform a commit or reboot the system.

     The command is:

     ipchains -F

     The above command must be typed exactly as shown.

  3. You can now go into the NetMAX interface and change your firewall rules back to allow you access.

• If you do not change your firewall rules and perform a commit or reboot the system, you will not be able to get to the NetMAX interface without going through the above steps to gain access once again.
• If you are unable to log into your system from a telnet session try logging in using the console and going through step 2.

• If you are unable to log in as root from the console follow the below steps:
  1. Reboot your NetMAX server.
  2. At the LILO prompt enter this command:

     linux single

  3. When you get to the bash prompt enter this command:

     rm /etc/rc.firewall

  4. Enter this command to reboot the server:

     reboot

  5. Once the server boots up you will be able to gain access to it using the web interface. Don't forget to remove the firewall rule that locked you out. If you don't remove this rule and do a commit or reboot the server again you will not be able to access the server without going through the above steps again.

Traffic Rerouting is not working. What can I do?

If you are running versions L2.2Pv3.0 or L2.2Pv3.01 you need to upgrade to L2.2Pv3.1 in order for traffic rerouting to work.

If you are running version L2.4Pv4.0, you need to upgrade to L2.4Pv4.01 in order for traffic rerouting to work.

Also, make sure that the ports you are rerouting are not firewalled off on the NetMAX. If traffic is being denied to those ports on the NetMAX interface, it will not be possible to reroute it. To fix this, simply create Server rules, or Input/Output rules for the ports that you are rerouting, specifying the NetMAX IP as the source or destination of the traffic.
address-suppressed

The file you'll need to edit is /etc/proxycache.conf

At the bottom of this file, you'll find the line:

http_port 3128

You'l want to replace that line with the following line:

http_port 192.168.0.1:3128 10.1.2.3:3128

Of course, you'll want to use your IP addresses, and not the ones listed.

Then, to stop NetMAX from overwriting these changes, you'll need to edit the /etc/commit.conf file, and add the following line:

skip /etc/proxycache.conf

If you ever need to make any changes to your proxy server configuration in the NetMAX Interface, you'll want to remove the line from the /etc/commit.conf file, commit your changes, then perform the above steps again.
address-suppressed