From owner-freebsd-stable Tue May 2 2:44: 9 2000 Delivered-To: freebsd-stable@freebsd.org Received: from ns2.infologigruppen.se (ns2.infologigruppen.se [212.214.163.69]) by hub.freebsd.org (Postfix) with ESMTP id CCCFC37B6A4 for ; Tue, 2 May 2000 02:44:00 -0700 (PDT) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: (from uucp@localhost) by ns2.infologigruppen.se (8.9.3/8.9.3) id LAA00357 for ; Tue, 2 May 2000 11:43:59 +0200 (CEST) (envelope-from Goran.Lowkrantz@infologigruppen.se) Received: from valhall.ign.se(192.168.3.1) via SMTP by bifrost-net.ign.se, id smtpdlus355; Tue May 2 11:43:52 2000 Received: by valhall.ign.se with Internet Mail Service (5.5.2650.21) id ; Tue, 2 May 2000 11:44:52 +0200 Message-ID: From: "Lowkrantz, Goran" To: "'freebsd-stable@FreeBSD.ORG'" Subject: Strange firewall - DMZ interference Date: Tue, 2 May 2000 11:44:52 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BFB41B.107B0C3D" Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: text/plain; charset="iso-8859-1" I'm totaly at loss over a firewall system I have been running for almost a year on 3-STABLE and when I upgrade to 4-STABLE it just seems to go bananas. Configuration Internet |xl0 - 212.214.163.69/32 +---+---+xl1 +-----+ | FW1 +----+ DMZ | - 212.214.162.32/24 +---+---+ +-----+ |xl2 - 192.168.99.1/30 |de2 - 192.168.99.2/30 +---+---+ | FW2 | ---+----+ | Internal net In the DMZ I have one apache servers with a couple of virtual servers, both name and IP based. On FW1 is another apache but this is configured to forward all requests to other web servers using mod_proxy. My problem is that FW1 accepts all connections to the DMZ! Whatever I do from internet, ping, traceroute, ssh, ftp, www, you name it, FW1 responds even when I use specific IP addresses that have hosts on the DMZ. I have attached all information I can think of. Please help, I have run out of ideas. Cheers, GLZ ---- Goran Lowkrantz Email : goran.lowkrantz@infologigruppen.se Infologigruppen Alfa AB Telephone: Nat 070-587 8782 Fax: Nat 070-615 8782 Box 202 Int +46 70-587 8782 Int +46 70-615 8782 941 25 Pitea, Sweden ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: text/plain; name="ifconfig.txt" Content-Disposition: attachment; filename="ifconfig.txt" > ifconfig -a xl0: flags=8843 mtu 1500 inet 212.214.163.69 netmask 0xffffffc0 broadcast 212.214.163.127 ether 00:10:5a:d5:59:bd media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP 100baseTX xl1: flags=8843 mtu 1500 inet 212.214.162.33 netmask 0xfffffff0 broadcast 212.214.162.47 ether 00:10:5a:d5:58:29 media: autoselect (10baseT/UTP) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP 100baseTX xl2: flags=8843 mtu 1500 inet 192.168.99.1 netmask 0xfffffffc broadcast 192.168.99.3 ether 00:10:5a:d5:58:2f media: autoselect (100baseTX ) status: active supported media: autoselect 100baseTX 100baseTX 10baseT/UTP 10baseT/UTP 100baseTX lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: text/plain; name="netstat.txt" Content-Disposition: attachment; filename="netstat.txt" > netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 212.214.163.65 UGSc 96 7210 xl0 localhost localhost UH 4 856 lo0 192.168/16 modgunn-net.ign.se UGSc 5 3000 xl2 192.168.99/30 link#3 UC 0 0 xl2 => modgunn-net.ign.se 0:80:c8:f8:48:93 UHLW 7 344 xl2 1072 192.168.99.3 ff:ff:ff:ff:ff:ff UHLWb 0 8 xl2 212.214.162.32/32 bifrost UGSc 0 0 xl1 => 212.214.162.32/28 link#2 UC 0 0 xl1 => bifrost 0:10:5a:d5:58:29 UHLW 1 0 lo0 infowire 0:10:5c:ab:1f:20 UHLW 2 60 xl1 1064 balder 0:10:5a:d5:59:1a UHLW 0 120 xl1 22 212.214.162.47 ff:ff:ff:ff:ff:ff UHLWb 1 19 xl1 212.214.163.64/26 link#1 UC 0 0 xl0 => 212.214.163.65 0:50:da:dc:a0:84 UHLW 94 0 xl0 1072 212.214.163.127 ff:ff:ff:ff:ff:ff UHLWb 1 16 xl0 ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: text/plain; name="ipfw.txt" Content-Disposition: attachment; filename="ipfw.txt" # -- ipfw - firewall firewall_enable=YES firewall_type="/etc/ipfw.conf" # -- natd - network address translation natd_enable=YES natd_interface="xl0" natd_flags="-f /etc/natd.conf" ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: application/octet-stream; name="ipfw.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipfw.conf" add deny all from 192.168.0.0:255.255.0.0 to any in via xl0=0A= add deny all from 212.214.162.32:255.255.255.240 to any in via xl0=0A= add deny all from 192.168.0.0:255.255.0.0 to any in via xl1=0A= add deny all from 212.214.163.0:255.255.255.192 to any in via xl1=0A= add deny all from 212.214.163.0:255.255.255.192 to any in via xl2=0A= add deny all from 212.214.162.32:255.255.255.240 to any in via xl2=0A= add deny tcp from any to any 194 out via xl0=0A= add deny udp from any to any 194 out via xl0=0A= add deny tcp from any to any 529 out via xl0=0A= add deny udp from any to any 529 out via xl0=0A= add deny all from 0.0.0.0/8 to any via xl0=0A= add deny all from any to 0.0.0.0/8 via xl0=0A= add deny all from 169.254.0.0/16 to any via xl0=0A= add deny all from any to 169.254.0.0/16 via xl0 =0A= add deny all from 192.0.2.0/24 to any via xl0=0A= add deny all from any to 192.0.2.0/24 via xl0=0A= add deny all from 224.0.0.0/4 to any via xl0=0A= add deny all from any to 224.0.0.0/4 via xl0=0A= add deny all from 240.0.0.0/4 to any via xl0=0A= add deny all from any to 240.0.0.0/4 via xl0=0A= add deny all from 0.0.0.0/8 to any via xl0=0A= add deny all from any to 0.0.0.0/8 via xl0=0A= add deny all from 169.254.0.0/16 to any via xl0=0A= add deny all from any to 169.254.0.0/16 via xl0 =0A= add deny all from 192.0.2.0/24 to any via xl0=0A= add deny all from any to 192.0.2.0/24 via xl0=0A= add deny all from 224.0.0.0/4 to any via xl0=0A= add deny all from any to 224.0.0.0/4 via xl0=0A= add deny all from 240.0.0.0/4 to any via xl0=0A= add deny all from any to 240.0.0.0/4 via xl0=0A= add allow tcp from any to any established=0A= add pass all from any to any frag=0A= add allow tcp from any to any 22 setup=0A= add allow tcp from any to 212.214.163.69 20 setup=0A= add allow tcp from any to 212.214.163.69 21 setup=0A= add allow tcp from any to 212.214.162.35 25 setup=0A= add allow tcp from any to 212.214.163.69 25 setup=0A= add allow tcp from any to 212.214.163.69 25 setup=0A= add allow tcp from any to 192.168.3.1 25 setup out via xl2=0A= add allow tcp from 212.214.162.35 to 192.168.3.1 25 in via xl1=0A= add allow tcp from 212.214.162.35 to any 25 in via xl1=0A= add allow tcp from 212.214.162.35 to any 25 out via xl0=0A= add allow tcp from 212.214.163.69 to any 25 out via xl0=0A= add deny log tcp from 192.168.3.1 25 to any out via xl0=0A= add allow tcp from any to 212.214.162.35 53 setup=0A= add allow tcp from any to 212.214.163.69 53 setup=0A= add allow tcp from 212.214.163.69 to any 53 out via xl0=0A= add allow tcp from any to 212.214.162.34 80 setup=0A= add allow tcp from any to 212.214.162.35 80 setup=0A= add allow tcp from any to 212.214.163.69 80 setup=0A= add allow tcp from 192.168.0.0:255.255.0.0 to any 80 in via xl2=0A= add allow tcp from 212.214.163.69 to any 80 out via xl0=0A= add allow tcp from any to 212.214.162.34 443 setup=0A= add allow tcp from any to 212.214.162.35 443 setup=0A= add allow tcp from any to 212.214.163.69 443 setup=0A= add allow log tcp from 193.44.171.39 to 212.214.163.69 1173 setup=0A= add unreach port tcp from any to any 113 in via xl0=0A= add deny log tcp from any to any in via 212.214.163.69 setup=0A= add deny tcp from any to any 139 in recv xl0=0A= add allow tcp from any to any via xl1=0A= add allow tcp from any to any via xl2=0A= add allow tcp from any to any out via xl0=0A= add allow udp from 192.168.0.0/16 to 192.168.0.0/16=0A= add allow udp from 192.168.0.0/16 to 212.214.162.32/28=0A= add allow udp from 212.214.162.32/28 to 192.168.0.0/16=0A= add allow udp from 212.214.162.32/28 to 212.214.162.32/28=0A= add allow udp from any 53 to any=0A= add allow udp from any to any 53=0A= add allow udp from any 123 to 212.214.163.69=0A= add allow udp from any 123 to 212.214.163.255=0A= add allow udp from 212.214.163.69 to any 123=0A= add allow udp from any 123 to 212.214.162.33=0A= add allow udp from any 123 to 212.214.162.47=0A= add allow udp from 212.214.162.33 to any 123=0A= add allow udp from any 123 to 192.168.99.1=0A= add allow udp from any 123 to 192.168.99.3=0A= add allow udp from 192.168.99.1 to any 123=0A= add allow udp from any 513 to 192.168.99.1=0A= add allow udp from any 513 to 192.168.99.3=0A= add allow udp from 192.168.99.1 to any 513=0A= add allow udp from any 513 to 212.214.162.35=0A= add allow udp from 212.214.162.35 to any 513=0A= add allow udp from any 513 to 212.214.162.33=0A= add allow udp from 212.214.162.33 to any 513=0A= add deny udp from any to any 67 in via xl0=0A= add deny udp from any to any 513 via xl0=0A= add deny udp from any to any 137 in recv xl0=0A= add deny udp from any to any 137 in recv xl1=0A= add deny udp from any to any 138 in recv xl0=0A= add deny udp from any to any 138 in recv xl1=0A= add allow udp from any to any out via xl0=0A= add allow udp from any to any via xl2=0A= add allow icmp from any to any via xl2=0A= add allow icmp from any to any via xl1=0A= add allow icmp from any to any out via xl0=0A= add allow icmp from any to any in via xl0 icmptypes = 0,3,4,8,11,12,14,15,16,17,18,30,31=0A= add deny icmp from any to any in via xl0=0A= add deny log ip from any to any=0A= ------_=_NextPart_000_01BFB41B.107B0C3D Content-Type: application/octet-stream; name="natd.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="natd.conf" #=0A= # NATD Config file for BIFROST=0A= #=0A= log yes=0A= log_denied yes=0A= use_sockets yes=0A= same_ports yes=0A= unregistered_only yes=0A= dynamic yes=0A= ------_=_NextPart_000_01BFB41B.107B0C3D-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message