Date: Tue, 2 May 2000 11:44:52 +0200 From: "Lowkrantz, Goran" <Goran.Lowkrantz@infologigruppen.se> To: "'freebsd-stable@FreeBSD.ORG'" <freebsd-stable@FreeBSD.ORG> Subject: Strange firewall - DMZ interference Message-ID: <B500F74C6527D311B61F0000C0DF5ADC263025@valhall.ign.se>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I'm totaly at loss over a firewall system I have been running for almost a
year on 3-STABLE and when I upgrade to 4-STABLE it just seems to go bananas.
Configuration
Internet
|xl0 - 212.214.163.69/32
+---+---+xl1 +-----+
| FW1 +----+ DMZ | - 212.214.162.32/24
+---+---+ +-----+
|xl2 - 192.168.99.1/30
|de2 - 192.168.99.2/30
+---+---+
| FW2 |
---+----+
|
Internal
net
In the DMZ I have one apache servers with a couple of virtual servers, both
name and IP based. On FW1 is another apache but this is configured to
forward all requests to other web servers using mod_proxy.
My problem is that FW1 accepts all connections to the DMZ! Whatever I do
from internet, ping, traceroute, ssh, ftp, www, you name it, FW1 responds
even when I use specific IP addresses that have hosts on the DMZ.
I have attached all information I can think of. Please help, I have run out
of ideas.
Cheers,
GLZ
----
Goran Lowkrantz Email : goran.lowkrantz@infologigruppen.se
Infologigruppen Alfa AB Telephone: Nat 070-587 8782 Fax: Nat 070-615
8782
Box 202 Int +46 70-587 8782 Int +46 70-615
8782
941 25 Pitea, Sweden
[-- Attachment #2 --]
> ifconfig -a
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 212.214.163.69 netmask 0xffffffc0 broadcast 212.214.163.127
ether 00:10:5a:d5:59:bd
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 212.214.162.33 netmask 0xfffffff0 broadcast 212.214.162.47
ether 00:10:5a:d5:58:29
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
xl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.99.1 netmask 0xfffffffc broadcast 192.168.99.3
ether 00:10:5a:d5:58:2f
media: autoselect (100baseTX <full-duplex>) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
[-- Attachment #3 --]
> netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 212.214.163.65 UGSc 96 7210 xl0
localhost localhost UH 4 856 lo0
192.168/16 modgunn-net.ign.se UGSc 5 3000 xl2
192.168.99/30 link#3 UC 0 0 xl2 =>
modgunn-net.ign.se 0:80:c8:f8:48:93 UHLW 7 344 xl2 1072
192.168.99.3 ff:ff:ff:ff:ff:ff UHLWb 0 8 xl2
212.214.162.32/32 bifrost UGSc 0 0 xl1 =>
212.214.162.32/28 link#2 UC 0 0 xl1 =>
bifrost 0:10:5a:d5:58:29 UHLW 1 0 lo0
infowire 0:10:5c:ab:1f:20 UHLW 2 60 xl1 1064
balder 0:10:5a:d5:59:1a UHLW 0 120 xl1 22
212.214.162.47 ff:ff:ff:ff:ff:ff UHLWb 1 19 xl1
212.214.163.64/26 link#1 UC 0 0 xl0 =>
212.214.163.65 0:50:da:dc:a0:84 UHLW 94 0 xl0 1072
212.214.163.127 ff:ff:ff:ff:ff:ff UHLWb 1 16 xl0
[-- Attachment #4 --]
# -- ipfw - firewall
firewall_enable=YES
firewall_type="/etc/ipfw.conf"
# -- natd - network address translation
natd_enable=YES
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
[-- Attachment #5 --]
add deny all from 192.168.0.0:255.255.0.0 to any in via xl0
add deny all from 212.214.162.32:255.255.255.240 to any in via xl0
add deny all from 192.168.0.0:255.255.0.0 to any in via xl1
add deny all from 212.214.163.0:255.255.255.192 to any in via xl1
add deny all from 212.214.163.0:255.255.255.192 to any in via xl2
add deny all from 212.214.162.32:255.255.255.240 to any in via xl2
add deny tcp from any to any 194 out via xl0
add deny udp from any to any 194 out via xl0
add deny tcp from any to any 529 out via xl0
add deny udp from any to any 529 out via xl0
add deny all from 0.0.0.0/8 to any via xl0
add deny all from any to 0.0.0.0/8 via xl0
add deny all from 169.254.0.0/16 to any via xl0
add deny all from any to 169.254.0.0/16 via xl0
add deny all from 192.0.2.0/24 to any via xl0
add deny all from any to 192.0.2.0/24 via xl0
add deny all from 224.0.0.0/4 to any via xl0
add deny all from any to 224.0.0.0/4 via xl0
add deny all from 240.0.0.0/4 to any via xl0
add deny all from any to 240.0.0.0/4 via xl0
add deny all from 0.0.0.0/8 to any via xl0
add deny all from any to 0.0.0.0/8 via xl0
add deny all from 169.254.0.0/16 to any via xl0
add deny all from any to 169.254.0.0/16 via xl0
add deny all from 192.0.2.0/24 to any via xl0
add deny all from any to 192.0.2.0/24 via xl0
add deny all from 224.0.0.0/4 to any via xl0
add deny all from any to 224.0.0.0/4 via xl0
add deny all from 240.0.0.0/4 to any via xl0
add deny all from any to 240.0.0.0/4 via xl0
add allow tcp from any to any established
add pass all from any to any frag
add allow tcp from any to any 22 setup
add allow tcp from any to 212.214.163.69 20 setup
add allow tcp from any to 212.214.163.69 21 setup
add allow tcp from any to 212.214.162.35 25 setup
add allow tcp from any to 212.214.163.69 25 setup
add allow tcp from any to 212.214.163.69 25 setup
add allow tcp from any to 192.168.3.1 25 setup out via xl2
add allow tcp from 212.214.162.35 to 192.168.3.1 25 in via xl1
add allow tcp from 212.214.162.35 to any 25 in via xl1
add allow tcp from 212.214.162.35 to any 25 out via xl0
add allow tcp from 212.214.163.69 to any 25 out via xl0
add deny log tcp from 192.168.3.1 25 to any out via xl0
add allow tcp from any to 212.214.162.35 53 setup
add allow tcp from any to 212.214.163.69 53 setup
add allow tcp from 212.214.163.69 to any 53 out via xl0
add allow tcp from any to 212.214.162.34 80 setup
add allow tcp from any to 212.214.162.35 80 setup
add allow tcp from any to 212.214.163.69 80 setup
add allow tcp from 192.168.0.0:255.255.0.0 to any 80 in via xl2
add allow tcp from 212.214.163.69 to any 80 out via xl0
add allow tcp from any to 212.214.162.34 443 setup
add allow tcp from any to 212.214.162.35 443 setup
add allow tcp from any to 212.214.163.69 443 setup
add allow log tcp from 193.44.171.39 to 212.214.163.69 1173 setup
add unreach port tcp from any to any 113 in via xl0
add deny log tcp from any to any in via 212.214.163.69 setup
add deny tcp from any to any 139 in recv xl0
add allow tcp from any to any via xl1
add allow tcp from any to any via xl2
add allow tcp from any to any out via xl0
add allow udp from 192.168.0.0/16 to 192.168.0.0/16
add allow udp from 192.168.0.0/16 to 212.214.162.32/28
add allow udp from 212.214.162.32/28 to 192.168.0.0/16
add allow udp from 212.214.162.32/28 to 212.214.162.32/28
add allow udp from any 53 to any
add allow udp from any to any 53
add allow udp from any 123 to 212.214.163.69
add allow udp from any 123 to 212.214.163.255
add allow udp from 212.214.163.69 to any 123
add allow udp from any 123 to 212.214.162.33
add allow udp from any 123 to 212.214.162.47
add allow udp from 212.214.162.33 to any 123
add allow udp from any 123 to 192.168.99.1
add allow udp from any 123 to 192.168.99.3
add allow udp from 192.168.99.1 to any 123
add allow udp from any 513 to 192.168.99.1
add allow udp from any 513 to 192.168.99.3
add allow udp from 192.168.99.1 to any 513
add allow udp from any 513 to 212.214.162.35
add allow udp from 212.214.162.35 to any 513
add allow udp from any 513 to 212.214.162.33
add allow udp from 212.214.162.33 to any 513
add deny udp from any to any 67 in via xl0
add deny udp from any to any 513 via xl0
add deny udp from any to any 137 in recv xl0
add deny udp from any to any 137 in recv xl1
add deny udp from any to any 138 in recv xl0
add deny udp from any to any 138 in recv xl1
add allow udp from any to any out via xl0
add allow udp from any to any via xl2
add allow icmp from any to any via xl2
add allow icmp from any to any via xl1
add allow icmp from any to any out via xl0
add allow icmp from any to any in via xl0 icmptypes 0,3,4,8,11,12,14,15,16,17,18,30,31
add deny icmp from any to any in via xl0
add deny log ip from any to any
[-- Attachment #6 --]
#
# NATD Config file for BIFROST
#
log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes
dynamic yes
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B500F74C6527D311B61F0000C0DF5ADC263025>