Date: Thu, 30 Mar 2006 19:23:56 +0200 From: "Daniel A." <ldrada@gmail.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: ipf and ipnat stopped working, no routing between nics. Message-ID: <5ceb5d550603300923i6eeaec35rb65cce6a602a8ef9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
------=_Part_4275_18926870.1143739436105
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi,
I run a FreeBSD 6.0 at home in my closet.
Yesterday, while I was linking IRCd services with a friend of mine, my rout=
er
completely stopped routing any packets between the internal nic (sis0) and
the external nic (rl0).
The only thing that I can think of, whoich could have caused this, is that =
I
ran ettercap on the server to diagnose why our servers wouldnt link. I did =
NOT
run any ARP poisoning or DNS spoofing attacks on myself.
But I didnt notice if the routing stopped at that point, or later, because =
I
could always connect to my server, and the server could always connect to t=
he
internet. The situation is still the same.
I have tried to do
- "ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules" - Didnt help
- "cd /etc/rc.d; ./ipfilter restart; ./ipnat restart" - Didnt help
- Launch ettercap again and exit "cleanly" after telling it to stop sniffin=
g.
A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0.
So my conclusion is that ipnat "forgot" how to route between the two
interfaces.
Could anyone please give some pointers?
------=_Part_4275_18926870.1143739436105
Content-Type: application/octet-stream; name=ifconfig
Content-Transfer-Encoding: 7bit
X-Attachment-Id: f_elfcrcia
Content-Disposition: attachment; filename="ifconfig"
fwe0: flags=108802<BROADCAST,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
options=8<VLAN_MTU>
ether 02:00:0a:04:69:d1
ch 1 dma -1
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
ether 00:0a:e6:53:fc:1e
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3
inet 87.49.144.133 netmask 0xffffff80 broadcast 87.49.144.255
ether 00:b0:02:00:27:f3
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
------=_Part_4275_18926870.1143739436105
Content-Type: application/octet-stream; name=ipf.rules
Content-Transfer-Encoding: 7bit
X-Attachment-Id: f_elfcs56c
Content-Disposition: attachment; filename="ipf.rules"
# Let clients behind the firewall send out to the internet, and replies to
# come back in by keeping state.
pass out quick on rl0 proto tcp all flags S keep state
pass out quick on rl0 proto udp all keep state
pass out quick on rl0 proto icmp all keep state
# Allow everything on local net
pass in quick on sis0 all
pass out quick on sis0 all
# loopback stuff
pass in quick on lo0 all
pass out quick on lo0 all
# Since nothing should be coming from these address ranges, block them
block in quick on rl0 from 192.168.0.0/16 to any
block in quick on rl0 from 172.16.0.0/12 to any
block in quick on rl0 from 127.0.0.0/8 to any
block in quick on rl0 from 10.0.0.0/8 to any
block in quick on rl0 from 169.254.0.0/16 to any
block in quick on rl0 from 192.0.2.0/24 to any
block in quick on rl0 from 204.152.64.0/23 to any
block in quick on rl0 from 224.0.0.0/3 to any
# Let's let people access the services running behind this system
# Let's let people access the services running on this system
#pass in quick on rl0 proto tcp from any to any port 30000 >< 50000 flags S keep state #Passive FTP
#pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state #Active FTP
#pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP
pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW
pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd
pass in quick on rl0 proto udp from any to any port = 123 keep state #ntpd
pass in quick on rl0 proto tcp from any to any port = 6697 flags S keep state #ircd, SSL
pass in quick on rl0 proto tcp from any to any port = 6667 flags S keep state #ircd, non-SSL
#pass in quick on rl0 proto tcp from any to any port = 7029 flags S keep state #irc link
pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state
pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state
# Steam Dedicated Server
#pass in quick on rl0 proto udp from any to any port = 1200 # Friends network
#pass in quick on rl0 proto udp from any to any port 26999 >< 27016 # Gameport
#pass in quick on rl0 proto udp from any to any port = 27020
#pass in quick on rl0 proto tcp from any to any port 27029 >< 27040
#pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon
# Block everything else
block in quick on rl0
------=_Part_4275_18926870.1143739436105
Content-Type: application/octet-stream; name=ipnat.rules
Content-Transfer-Encoding: 7bit
X-Attachment-Id: f_elfcs5sv
Content-Disposition: attachment; filename="ipnat.rules"
#rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp
#rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp
map rl0 192.168.0.0/29 -> 0/32 proxy port 21 ftp/tcp
#map rl0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
map rl0 192.168.0.0/29 -> 0/32 portmap tcp/udp 1025:65000
map rl0 192.168.0.0/29 -> 0/32
------=_Part_4275_18926870.1143739436105--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5ceb5d550603300923i6eeaec35rb65cce6a602a8ef9>