From owner-freebsd-questions Sat Jan 30 07:16:10 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02493 for freebsd-questions-outgoing; Sat, 30 Jan 1999 07:16:10 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from starfire.mn.org (starfire.skypoint.net [199.86.35.134]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02466 for ; Sat, 30 Jan 1999 07:15:59 -0800 (PST) (envelope-from john@starfire.mn.org) Received: (from john@localhost) by starfire.mn.org (8.8.5/1.1) id JAA11211; Sat, 30 Jan 1999 09:15:52 -0600 (CST) Message-ID: Date: Sat, 30 Jan 1999 09:15:51 -0600 From: john@dexter.starfire.mn.org (John Lind) To: dan@dpcsys.com (Dan Busarow) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fwd: Re: ipfw question References: X-Mailer: Mutt 0.53 Mime-Version: 1.0 In-Reply-To: ; from Dan Busarow on Jan 29, 1999 16:36:18 -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dan Busarow writes: > On Fri, 29 Jan 1999, John Lind wrote: > > We have two subnets routed to a Cisco 675 (aDSL). The 657 is > > 137.192.130.30. The FreeBSD box is 137.192.130.29 on that net, > > and the other NIC is 137.192.130.22 on the internal or "protected" > > net. The netmask on both nets is 255.255.255.248. > > > > The system we are most trying to protect on the internal net is a > > UnixWare system (good grief, I hope that they aren't doing something > > weird with TCP that's causing all this!), which is at IP 137.192.130.20. > > When I use the "open" ruleset, I have full access to that system > > (and so does every one else). Just for reference, that's > > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 65000 allow ip from any to any > > 65535 deny ip from any to any > > > > Since I have full access from anywhere on the Internet to the internal > > systems with this ruleset, I know that IP forwarding is working. > > > > When I try to do any filtering at all, I loose all access to the UnixWare > > system. The ultimate goal is to have Web access to that system, but > > to restrict access for everything else to a few selected IP's. The > > following ruleset isn't nearly that complicated -- I've stripped it > > 'way down -- my understanding is that this SHOULD allow Web access > > to this system, and nothing else, but instead, I get nothing at all. > > I have a test script that installs this, and then if I don't break out > > of it, it installs the "open" set again, and as soon as "open" gets > > reinstalled, the web accesses that were hanging all proceed. > > > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 01000 allow tcp from any to any established > > 01200 allow tcp from any to 137.192.130.20 80 setup > > 01300 allow tcp from 137.192.130.16/29 to any setup > > Try changing the /29 to /28 > You aren't letting setup out via 137.192.130.29 and so he can't forward > the packets. I think I know why this didn't help. The packets passing through the interface 137.192.130.29 (ed0) are not ORIGINATING with 137.192.130.29, i.e. the source IP is not 139.192.130.29, but still 137.192.130.20. > > 01410 allow tcp from any to any 25 setup > > 01420 allow tcp from any to any 53 setup > > 01421 allow udp from any to any 53 > > 01430 allow icmp from any to any > > > > I've tried replacing 01200 with "to 137.192.130.20 80" (no "setup"), > > and with simply "to 137.192.130.20" (no port, just for testing) and it > > works the same. I also tried port 23 and tested with telnet, with the > > same results -- it just hangs until the script times out and restores > > open access. > > > > When I do a netstat -n, I always see the connection state as "ESTABLISHED" > > which tells me, it should be working!!! > > Dan > -- > Dan Busarow 949 443 4172 > Dana Point Communications, Inc. dan@dpcsys.com > Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 > -- John Lind, Starfire Consulting Services E-mail: john@starfire.MN.ORG USnail: PO Box 17247, Mpls MN 55417 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message