From owner-freebsd-questions Thu Dec 13 11:22:20 2001 Delivered-To: freebsd-questions@freebsd.org Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12]) by hub.freebsd.org (Postfix) with ESMTP id 56E4037B416 for ; Thu, 13 Dec 2001 11:22:11 -0800 (PST) Received: from user-2ivfine.dialup.mindspring.com ([165.247.202.238]) by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16EbQm-0000Mj-00; Thu, 13 Dec 2001 11:22:08 -0800 Mime-Version: 1.0 X-Sender: wtem@mail.olywa.net Message-Id: In-Reply-To: <20011213133805.31126.qmail@web20604.mail.yahoo.com> References: <20011213133805.31126.qmail@web20604.mail.yahoo.com> Date: Thu, 13 Dec 2001 11:22:45 -0800 To: Donnie Jones , Walter McGinnis From: Walter McGinnis Subject: Re: upgrade from 4.0 to 4.4 cablem firewall/router ssh problems Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 5:38 AM -0800 12/13/01, Donnie Jones wrote: > > Previously, I was able to ssh to remote hosts from > > my LAN behind my > > FreeBSD box, after the upgrade and resumption of > > cable service I > > can't. I can ssh between boxes on the LAN and from > > the > > router/firewall to remote hosts. > > > > TIA, > > > > Walter McGinnis > > >What rules do you have set up in your firewall? I'm using natd and ipfw. I'm starting with a an open script for the firewall until I get this resolved: # ipfw list 00100 divert 8668 ip from any to any via xl0 00101 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 03000 allow log logamount 100 ip from any to any 65535 deny ip from any to any The 65535 rule concerns me, but I suspect is as a result of the kernel being set to deny by default. Even after a manual flush it persists. The other explicit rules that I write overrule 65535, right? > Maybe >you should move the firewall rules file somewhere else >and put a new one there that is blank, in order to >enable the firewall to pass everything through. This what I've done: from rc.conf: gateway_enable="YES" router_enable="YES" router="routed" router_flags="-q" tcp_extensions="NO" forward_sourceroute="NO" accept_sourceroute="NO" hostname="2512-13A.attbi.com" firewall_enable="YES" firewall_script="/etc/firewall-1" firewall_quiet="NO" natd_enable="YES" natd_flags="-f /etc/natd.conf" defaultrouter="12.232.151.1" network_interfaces="xl0 lo0 rl0" ifconfig_xl0="inet 12.232.151.171 netmask 255.255.255.0" ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0" inetd_enable="NO" sshd_enable="YES" sendmail_enable="NO" kern_securelevel="NO" ... (about if exept mouse, linux,and network time stuff" in firewall-1 are all the rules except 635535. from natd.conf: port 8668 # same_ports # unregistered_only interface xl0 redirect_port tcp 10.0.0.10:8000-9000 8000-9000 redirect_port tcp 10.0.0.10:80 80 # dynamic >Do >your pc's on the LAN have access to the internet? or >are you only using them for ssh? I had email and web access from my LAN boxes behind the router as of last night, but this morning not even the router has WAN web/email/ping/ssh access. I suspect it is because the defaultrouter (i.e. AT&T's gateway) has gone down and routed is unable to set up routing tables (netstat -r comes up with nothing and I get console messages from natd that the host is down). Note that all the lights on the modem are showing correct status and I powercycled the bastard for good measure (turn off power, unplug power supply and ethernet cable, leave off for a minute, plug power in, watch the pretty lights return to normal, plug ethernet back in). I've also switched xl0 to "DHCP" incase I lost my lease, but that doens't work at reboot either. An interesting point is that I did at one time get DHCP to work and I wrote down the IP of gateway, name server, and my box just in case, which is what I had working last night. I was told that the DHCP lease was for 24 hours and it has definitely been less than that and besides that I'm unable to get any thing from DHCP. That being said, I'm able to ping/ssh my internal boxes from the router and the other way around on the internal network (10.0.0...) Another thing of note is that /etc/defaults/rc.conf seems to override arbitrary /etc/rc.conf settings. I've commented out duplicate lines in /etc/defaults/rc.conf and things began to work (well except for the ssh problem of the original post) when they were. My understanding is that I shouldn't have to touch /etc/defaults/rc.conf only /etc/rc.conf, what the hell is going on with that? >Also, any configuration files you have, such as your >rc.conf and your firewall rules file may be helpful to >us in answering your questions. > >Sorry I can't help more.. yet. >-Donnie I look forward to your answers. I've been pulling my hair out for days now... Walter McGinnis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message