From owner-freebsd-questions Tue Feb 2 15:51:14 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29007 for freebsd-questions-outgoing; Tue, 2 Feb 1999 15:51:14 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29000 for ; Tue, 2 Feb 1999 15:51:09 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id PAA24887; Tue, 2 Feb 1999 15:51:19 -0800 (PST) Date: Tue, 2 Feb 1999 15:51:19 -0800 (PST) From: Dan Busarow To: John Lind cc: freebsd-questions@FreeBSD.ORG Subject: Re: Fwd: Re: ipfw question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 1 Feb 1999, John Lind wrote: > Dan Busarow writes: > > On Fri, 29 Jan 1999, John Lind wrote: > > > We have two subnets routed to a Cisco 675 (aDSL). The 657 is > > > 137.192.130.30. The FreeBSD box is 137.192.130.29 on that net, > > > and the other NIC is 137.192.130.22 on the internal or "protected" > > > net. The netmask on both nets is 255.255.255.248. > > > > > > The system we are most trying to protect on the internal net is a > > > UnixWare system (good grief, I hope that they aren't doing something > > > weird with TCP that's causing all this!), which is at IP 137.192.130.20. > > > When I use the "open" ruleset, I have full access to that system > > > (and so does every one else). Just for reference, that's > > > > > > 00100 allow ip from any to any via lo0 > > > 00200 deny ip from any to 127.0.0.0/8 > > > 65000 allow ip from any to any > > > 65535 deny ip from any to any > > > > > > Since I have full access from anywhere on the Internet to the internal > > > systems with this ruleset, I know that IP forwarding is working. > > > > > > When I try to do any filtering at all, I loose all access to the UnixWare > > > system. The ultimate goal is to have Web access to that system, but > > > to restrict access for everything else to a few selected IP's. The > > > following ruleset isn't nearly that complicated -- I've stripped it > > > 'way down -- my understanding is that this SHOULD allow Web access > > > to this system, and nothing else, but instead, I get nothing at all. > > > I have a test script that installs this, and then if I don't break out > > > of it, it installs the "open" set again, and as soon as "open" gets > > > reinstalled, the web accesses that were hanging all proceed. > > > > > > 00100 allow ip from any to any via lo0 > > > 00200 deny ip from any to 127.0.0.0/8 > > > 01000 allow tcp from any to any established > > > 01200 allow tcp from any to 137.192.130.20 80 setup > > > 01300 allow tcp from 137.192.130.16/29 to any setup > > > > Try changing the /29 to /28 > > You aren't letting setup out via 137.192.130.29 and so he can't forward > > the packets. > > OK -- I have to retract part of what I said, but the overall sense of > things is the same. The reason I couldn't get into the system was > not changing the subnet mask to /28 PER SE, but rather that I fat-fingered > and got a syntax error in rc.firewall in the process. > > The essential facts remain the same, however, which is that neither > changing the subnet mask to /28 nor putting in a specific rule to > pass all setup from 137.192.130.29 made any difference at all. > > Help??? Try this. Rebgoot the system to clear any ipfw counters. Try making the outbound connection and then run # ipfw show That should show you which rule is causing the problem. Send the output of ipfw show and netstat -rn Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message