This may sound simplistic when you read it, but it really is this
simple. The public interface only gets involved when traffic is sent
to or through it.

Filters are supposed to be applied to the public interface, and not the
private side (unless you've *really* customized them). See tip #13 at
the URL below. (Talking filters here, not exceptions).

If you have changed the default route to an address on the private
side, then packets going to the internet should not touch the public
interface at all. Since you are having a filtering issue, clearly some
things need to be checked out.

1. In filtcfg, check that no filters are applied to the private
interface, and that the filtering action is the default (deny in list,
as seen in tip #13).

2. Check routing table in TCPCON to see what the default route actually
is. Sometimes it's not what you thought you had.

3. Check routers in your network to see if some static NAT or routing
table entry might be pointing to an old public address assigned on the
BMgr server.

4. Use set tcp ip debug=1 (careful! Will see a lot of traffic, and
could crash a production server) to see all IP traffic on the server.
You can then observe packets hitting the public side and maybe see
where they are coming from. PKTSCAN.NLM would be a lot safer to use.


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***