From owner-freebsd-questions Thu Dec 13 11:34: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id 9AB0E37B405 for ; Thu, 13 Dec 2001 11:34:02 -0800 (PST) Received: from user-2ivfine.dialup.mindspring.com ([165.247.202.238]) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16Ebbn-000024-00; Thu, 13 Dec 2001 11:33:31 -0800 Mime-Version: 1.0 X-Sender: wtem@mail.olywa.net Message-Id: In-Reply-To: References: <20011213133805.31126.qmail@web20604.mail.yahoo.com> Date: Thu, 13 Dec 2001 11:34:08 -0800 To: Walter McGinnis , Donnie Jones From: Walter McGinnis Subject: Re: upgrade from 4.0 to 4.4 cablem firewall/router ssh problems Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I just rebooted again for the hell of it (its getting to be addictive) and of course everything except the original problem (no remote ssh from LAN boxes) is fixed. I think I'll send my new found therapy bills to AT&T cuz they are driving me NUTS! Guess its time to order DSL. BTW, I forgot natd_interface="xl0" in the rc.conf list below. Walter At 11:22 AM -0800 12/13/01, Walter McGinnis wrote: >At 5:38 AM -0800 12/13/01, Donnie Jones wrote: >> > Previously, I was able to ssh to remote hosts from >> > my LAN behind my >> > FreeBSD box, after the upgrade and resumption of >> > cable service I >> > can't. I can ssh between boxes on the LAN and from >> > the >> > router/firewall to remote hosts. >> > >> > TIA, >> > >> > Walter McGinnis >> >> >>What rules do you have set up in your firewall? > >I'm using natd and ipfw. I'm starting with a an open script for the >firewall until I get this resolved: > ># ipfw list >00100 divert 8668 ip from any to any via xl0 >00101 allow ip from any to any via lo0 >00200 deny ip from any to 127.0.0.0/8 >03000 allow log logamount 100 ip from any to any >65535 deny ip from any to any > >The 65535 rule concerns me, but I suspect is as a result of the >kernel being set to deny by default. Even after a manual flush it >persists. The other explicit rules that I write overrule 65535, >right? > >> Maybe >>you should move the firewall rules file somewhere else >>and put a new one there that is blank, in order to >>enable the firewall to pass everything through. > >This what I've done: > >from rc.conf: >gateway_enable="YES" >router_enable="YES" >router="routed" >router_flags="-q" >tcp_extensions="NO" >forward_sourceroute="NO" >accept_sourceroute="NO" >hostname="2512-13A.attbi.com" >firewall_enable="YES" >firewall_script="/etc/firewall-1" >firewall_quiet="NO" >natd_enable="YES" >natd_flags="-f /etc/natd.conf" >defaultrouter="12.232.151.1" >network_interfaces="xl0 lo0 rl0" >ifconfig_xl0="inet 12.232.151.171 netmask 255.255.255.0" >ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0" >inetd_enable="NO" >sshd_enable="YES" >sendmail_enable="NO" >kern_securelevel="NO" >... (about if exept mouse, linux,and network time stuff" > >in firewall-1 are all the rules except 635535. > >from natd.conf: > >port 8668 ># same_ports ># unregistered_only >interface xl0 >redirect_port tcp 10.0.0.10:8000-9000 8000-9000 >redirect_port tcp 10.0.0.10:80 80 ># dynamic > > >>Do >>your pc's on the LAN have access to the internet? or >>are you only using them for ssh? > >I had email and web access from my LAN boxes behind the router as of >last night, but this morning not even the router has WAN >web/email/ping/ssh access. I suspect it is because the >defaultrouter (i.e. AT&T's gateway) has gone down and routed is >unable to set up routing tables (netstat -r comes up with nothing >and I get console messages from natd that the host is down). Note >that all the lights on the modem are showing correct status and I >powercycled the bastard for good measure (turn off power, unplug >power supply and ethernet cable, leave off for a minute, plug power >in, watch the pretty lights return to normal, plug ethernet back >in). I've also switched xl0 to "DHCP" incase I lost my lease, but >that doens't work at reboot either. An interesting point is that I >did at one time get DHCP to work and I wrote down the IP of gateway, >name server, and my box just in case, which is what I had working >last night. I was told that the DHCP lease was for 24 hours and it >has definitely been less than that and besides that I'm unable to >get any thing from DHCP. > >That being said, I'm able to ping/ssh my internal boxes from the >router and the other way around on the internal network (10.0.0...) > >Another thing of note is that /etc/defaults/rc.conf seems to >override arbitrary /etc/rc.conf settings. I've commented out >duplicate lines in /etc/defaults/rc.conf and things began to work >(well except for the ssh problem of the original post) when they >were. My understanding is that I shouldn't have to touch >/etc/defaults/rc.conf only /etc/rc.conf, what the hell is going on >with that? > >>Also, any configuration files you have, such as your >>rc.conf and your firewall rules file may be helpful to >>us in answering your questions. >> >>Sorry I can't help more.. yet. > >>-Donnie > >I look forward to your answers. I've been pulling my hair out for days now... > >Walter McGinnis > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message