From owner-freebsd-net@FreeBSD.ORG Tue Jul 29 18:24:20 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7974837B401 for ; Tue, 29 Jul 2003 18:24:20 -0700 (PDT) Received: from endikos.com (endikos.com [216.234.204.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58CC843FB1 for ; Tue, 29 Jul 2003 18:24:19 -0700 (PDT) (envelope-from webmaster@endikos.com) Received: from ONESIMUS (softdnserr [::ffff:216.234.204.197]) by endikos.com with esmtp; Wed, 30 Jul 2003 00:48:46 -0600 From: "William Knechtel" To: freebsd-net@freebsd.org Date: Tue, 29 Jul 2003 19:24:19 -0600 Message-ID: <000801c35639$4c761ec0$c5ccead8@ONESIMUS> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=_endikos.com-10147-1059547727-0001-2" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <000701c35635$66bdb530$c5ccead8@ONESIMUS> Subject: RE: Help with FreeBSD Bridged Firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Jul 2003 01:24:20 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_endikos.com-10147-1059547727-0001-2 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Per a list members request, I've attached dumps of the following commands: arp -a netstat -m ipfw show ifconfig netstat -s netstat -i One caveat, I've hidden all IP addresses that could be used to divine my netblock... I guess I'm a little paranoid about people inspecting my firewall configuration :-) and are public (routable) IP addresses of the two machines I have behind the firewall. One additional note. Since I first composed this message early this afternoon, the responsiveness of the internal NIC on the firewall has bounced up and down a bit. Here's a bit of a log of it's activity: 11:57 DOWN 12:06 UP (reboot) 12:26 DOWN 2:18 UP 3:14 DOWN 5:43 UP The odd thing is that it's been in operating fine for a few months now (it's a fairly new installation), and the last change I made to the firewalls config was well over a week ago. I hope this helps figure out what's going on!! Thanks in advance for your help. Kindest Regards, Bill > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of William Knechtel > Sent: Tuesday, July 29, 2003 6:56 PM > To: freebsd-net@freebsd.org > Subject: Help with FreeBSD Bridged Firewall > > > Hello! > > Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged > firewall. I've got a private IP 10.0.0.1 tied to the internal card on the > box for remote management. The firewall blocks any 10.x traffic > coming in on > the external card, so to remotely admin it, I have to shell into a machine > on the same isolated network segment that it's on, and then shell > over from > that machine. > > Today around noon, the machine suddenly stopped responding to > pings. I went > down to the server room and couldnt find anything wrong. No notes on the > console screen, no anomalous entries in the security or message > logs. So, in > the interest of getting it back up quickly, I rebooted it. That worked. > About an hour later, the same thing happened... my network > monitor tells me > that it's not responding to pings. So before I go down to the > server room, I > run a few tests... the firewall is still blocking packets like a champ. I > run nmap against a host the firewall protects, and everything comes back > fine. But when I go downstairs to the console, I can't ping out to it's > 10.0.0.2 buddy, and no incoming pings work either. I'm at a loss > on how to > troubleshoot this, folks. I could really use a few ideas, so please send > them along! > > Thanks in Advance! > Bill > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=_endikos.com-10147-1059547727-0001-2 Content-Type: text/plain; name="dumps.txt"; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="dumps.txt" # arp -a ? (10.0.0.1) at 00:01:53:80:e2:40 on dc0 permanent [ethernet] ? (10.0.0.2) at 00:02:b3:a8:3d:2b on dc0 [ethernet] # netstat -m 129/160/4992 mbufs in use (current/peak/max): 129 mbufs allocated to data 128/136/1248 mbuf clusters in use (current/peak/max) 312 Kbytes allocated to network (8% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # ipfw show 00100 24 1824 allow udp from 132.239.1.6 123 to 123 00200 23 1748 allow udp from 128.194.254.9 123 to 123 00300 24 1824 allow udp from 192.43.244.18 123 to 123 00400 24 1824 allow udp from 128.138.140.44 123 to = 123 00500 0 0 allow udp from 132.239.1.6 123 to 123 00600 0 0 allow udp from 128.194.254.9 123 to 123 00700 0 0 allow udp from 192.43.244.18 123 to 123 00800 0 0 allow udp from 128.138.140.44 123 to = 123 00900 0 0 deny ip from 127.0.0.0/8 to any via vr0 01000 1316 132222 deny ip from 10.0.0.0/8 to any via vr0 01100 512 65098 deny ip from 192.168.0.0/16 to any via vr0 01200 0 0 deny ip from 172.16.0.0/16 to any via vr0 01300 6363 1136947 allow ip from 10.0.0.0/28 to any via dc0 01400 5952 374220 allow ip from any to any via lo* 01500 214096 106791094 allow ip from X.X.211.64/26 to any 01600 176 21124 allow ip from X.X.122.180 to any 01700 703 33825 allow icmp from any to any 01800 898 130784 allow ip from X.X.204.192/28 to any 01900 0 0 allow ip from X.X.211.68 to any 02000 51768 7784246 allow ip from any to X.X.255.255 02100 0 0 allow tcp from any to 53 02200 0 0 allow udp from any to 53 02300 11915 2725386 allow tcp from any to 80 02400 0 0 allow udp from any to 80 02500 659 444559 allow tcp from any to 25 02600 0 0 allow udp from any to 25 02700 0 0 allow tcp from any to 110 02800 0 0 allow udp from any to 110 02900 0 0 allow tcp from any to 143 03000 0 0 allow udp from any to 143 03100 0 0 deny tcp from any to 3306 03200 0 0 deny udp from any to 3306 03300 0 0 deny tcp from any to 6101 03400 0 0 deny tcp from any to 8192 03500 0 0 allow tcp from X.X.211.64/26 to 53 03600 0 0 allow udp from X.X.211.64/26 to 88 03700 0 0 allow tcp from X.X.211.64/26 to 135 03800 0 0 allow udp from X.X.211.64/26 to 137 03900 0 0 allow udp from X.X.211.64/26 to 138 04000 0 0 allow tcp from X.X.211.64/26 to 139 04100 0 0 allow udp from X.X.211.64/26 to 389 04200 0 0 allow tcp from X.X.211.64/26 to 445 04300 0 0 allow tcp from X.X.211.64/26 to 464 04400 0 0 allow tcp from X.X.211.64/26 to 636 04500 0 0 allow tcp from X.X.211.64/26 to 3268 04600 0 0 allow tcp from X.X.211.64/26 to 3269 04700 168 13430 allow tcp from X.X.33.84 to 389 04800 0 0 allow udp from X.X.33.84 to 389 04900 8 643 allow tcp from X.X.33.75 to 389 05000 0 0 allow udp from X.X.33.75 to 389 05100 0 0 allow ip from X.X.15.22 to 05200 0 0 allow ip from X.X.15.41 to 05300 0 0 allow ip from X.X.15.25 to 05400 0 0 allow tcp from X.X.15.15 to 53 05500 0 0 allow tcp from X.X.15.16 to 53 05600 7565 303432 deny tcp from any to X.X.211.64/26 setup 05700 227 18147 allow tcp from any to X.X.211.64/26 1024-65535 05800 364 89403 allow udp from any to X.X.211.64/26 1024-65535 05900 24660 2746580 deny log ip from any to any 65535 17 997 deny ip from any to any # ifconfig dc0: flags=3D8943 mtu = 1500 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:01:53:80:e2:40 media: Ethernet autoselect (100baseTX ) status: active vr0: flags=3D8943 mtu = 1500 ether 00:e0:4c:9c:83:1a media: Ethernet autoselect (100baseTX ) status: active lp0: flags=3D8810 mtu 1500 lo0: flags=3D8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=3D8010 mtu 1500 sl0: flags=3Dc010 mtu 552 faith0: flags=3D8002 mtu 1500 tcp: 1632 packets sent 482 data packets (396644 bytes) 12 data packets (12480 bytes) retransmitted 0 resends initiated by MTU discovery 760 ack-only packets (3 delayed) 0 URG only packets 0 window probe packets 0 window update packets 378 control packets 2001 packets received 838 acks (for 396325 bytes) 2 duplicate acks 0 acks for unsent data 824 packets (388527 bytes) received in-sequence 0 completely duplicate packets (0 bytes) 0 old duplicate packets 0 packets with some dup. data (0 bytes duped) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) of data after window 0 window probes 367 window update packets 0 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 4 connection requests 371 connection accepts 0 bad connection attempts 0 listen queue overflows 373 connections established (including accepts) 374 connections closed (including 2 drops) 0 connections updated cached RTT on close 0 connections updated cached RTT variance on close 0 connections updated cached ssthresh on close 2 embryonic connections dropped 838 segments updated rtt (of 472 attempts) 24 retransmit timeouts 2 connections dropped by rexmit timeout 0 persist timeouts 0 connections dropped by persist timeout 0 keepalive timeouts 0 keepalive probes sent 0 connections dropped by keepalive 22 correct ACK header predictions 412 correct data packet header predictions 371 syncache entries added 0 retransmitted 0 dupsyn 0 dropped 371 completed 0 bucket overflow 0 cache overflow 0 reset 0 stale 0 aborted 0 badack 0 unreach 0 zone failures 0 cookies sent 0 cookies received udp: 1504 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 0 with no checksum 1502 dropped due to no socket 2 broadcast/multicast datagrams dropped due to no socket 0 dropped due to full socket buffers 0 not for hashed pcb 0 delivered 1503 datagrams output ip: 44537 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with ip length > max ip packet size 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 3743 packets for this host 1503 packets for unknown/unsupported protocol 0 packets forwarded (0 packets fast forwarded) 26203 packets not forwardable 35 packets received for unknown multicast group 0 redirects sent 4891 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header icmp: 1502 calls to icmp_error 0 errors not generated 'cuz old message was icmp Output histogram: echo reply: 231 destination unreachable: 1502 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length 1 multicast echo requests ignored 0 multicast timestamp requests ignored Input histogram: echo reply: 4 destination unreachable: 1502 echo: 232 231 message responses generated 0 invalid return addresses 0 no return routes ICMP address mask responses are disabled igmp: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent -- Bridging statistics (bdg) -- Name In Out Forward Drop Bcast Mcast Local = Unknown dc0:1 155257 296115 136083 0 345 15217 2203 = 1409 vr0:1 315444 153056 114414 0 179526 19433 0 = 2071 # netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs = Coll dc0 1500 00:01:53:80:e2:40 155605 0 297006 0 = 0 dc0 1500 10/24 10.0.0.1 5273 - 4916 - = - vr0 1500 00:e0:4c:9c:83:1a 316350 0 153370 0 = 0 lp0* 1500 0 0 0 0 = 0 lo0 16384 3104 0 3104 0 = 0 lo0 16384 your-net localhost 48 - 48 - = - ppp0* 1500 0 0 0 0 = 0 sl0* 552 0 0 0 0 = 0 faith 1500 0 0 0 0 = 0 --=_endikos.com-10147-1059547727-0001-2--