From owner-freebsd-stable Fri Aug 17 22:25:20 2001 Delivered-To: freebsd-stable@freebsd.org Received: from femail5.sdc1.sfba.home.com (femail5.sdc1.sfba.home.com [24.0.95.85]) by hub.freebsd.org (Postfix) with ESMTP id 1D90537B403 for ; Fri, 17 Aug 2001 22:24:58 -0700 (PDT) (envelope-from diwelf@gmx.net) Received: from jargon ([24.102.26.163]) by femail5.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with SMTP id <20010818052457.ECNU18911.femail5.sdc1.sfba.home.com@jargon>; Fri, 17 Aug 2001 22:24:57 -0700 Message-ID: <000d01c127a5$c674b930$0200000a@jargon> From: "diwelf" To: Cc: "ipfilter list" Subject: IPFilter problem on current cvs Date: Sat, 18 Aug 2001 01:22:28 -0400 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_01C12784.3F08EB40" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: multipart/alternative; boundary="----=_NextPart_001_000A_01C12784.3F08EB40" ------=_NextPart_001_000A_01C12784.3F08EB40 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I'm running fbsd on my p133/32mb ram, 1.4gb hdd. I'm using it as a = nat/ipf gateway for the rest of my network. My network is using = 10.0.0.0/24. Now, my problem is that every once in a while my box stops = forwarding packets out from the firewall. So far, the only solution i've = found is to reboot the box, but this is in no way a viable long term = solution. I'm quite new to ipf/fbsd so i may be missing something minute = somewhere. I've forwarded this messege to both the stable and ipf = mailing lists just incase it's pertaining to freebsd or to ipf itself. = I've included my sysctl.conf, kernel config file, rc.conf, ipf.rules, = ipnat.rules for review. Thanks in advance Matt Gibson =20 #uname -a=20 FreeBSD cr642371-a 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Tue Aug 14 = 21:03:52 EDT 2001 root@cr642371-a:/usr/src/sys/compile/LINGO i386 ------------- He may look like an idiot and talk like an idiot but=20 don't let that fool you. He really is an idiot. -Groucho Marx ------------- diwelf diwelf@NOSPAM.gmx.net ------=_NextPart_001_000A_01C12784.3F08EB40 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hello,
    I'm running fbsd on = my p133/32mb=20 ram, 1.4gb hdd. I'm using it as a nat/ipf gateway for the rest of my = network. My=20 network is using 10.0.0.0/24. Now, my problem is that every once in a = while my=20 box stops forwarding packets out from the firewall. So far, the only = solution=20 i've found is to reboot the box, but this is in no way a viable long = term=20 solution. I'm quite new to ipf/fbsd so i may be missing something minute = somewhere. I've forwarded this messege to both the stable and ipf = mailing lists=20 just incase it's pertaining to freebsd or to ipf itself. I've = included my=20 sysctl.conf, kernel config file, rc.conf, ipf.rules, ipnat.rules for = review.=20 Thanks in advance
 
        Matt=20 Gibson
 
#uname -a

FreeBSD cr642371-a 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Tue Aug = 14=20 21:03:52 EDT 2001 root@cr642371-= a:/usr/src/sys/compile/LINGO=20 i386

 
 
 
-------------
He may look like an = idiot and talk=20 like an idiot but
don't let that fool you. He really is an=20 idiot.   -Groucho Marx
-------------
diwelf
diwelf@NOSPAM.gmx.net ------=_NextPart_001_000A_01C12784.3F08EB40-- ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: application/octet-stream; name="KERNEL" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="KERNEL" # # $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.33 2001/07/30 17:31:40 = wpaul Exp $ machine i386 cpu I586_CPU ident LINGO =09 maxusers 512 options NMBCLUSTERS=3D65536 #makeoptions DEBUG=3D-g #Build kernel with gdb(1) debug symbols options MATH_EMULATE #Support for x87 emulation options INET #InterNETworking options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options SOFTUPDATES #Enable FFS soft updates support options MFS #Memory Filesystem options MD_ROOT #MD is a potential root device options NFS #Network Filesystem options NFS_ROOT #NFS usable as root device, NFS required options MSDOSFS #MSDOS Filesystem options CD9660 #ISO 9660 Filesystem options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=3D15000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev device isa device eisa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 # ATA and ATAPI devices device ata0 at isa? port IO_WD1 irq 14 device ata1 at isa? port IO_WD2 irq 15 device ata device atadisk # ATA disk drives device atapifd # ATAPI floppy drives options ATA_STATIC_ID #Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 options VESA # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Power management support (see LINT for more options) device apm0 at nexus? disable flags 0x20 # Advanced Power Management # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer device ppi # Parallel port interface device # PCI Ethernet NICs. device miibus # MII bus support device dc # DEC/Intel 21143 and various workalikes device rl # RealTek 8129/8139 pseudo-device loop #loop back pseudo-device ether # Ethernet support pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) pseudo-device md # Memory "disks" # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: application/octet-stream; name="ipf.rules" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipf.rules" ## ipf config file. =0A= ## created august 16, 2001=0A= ## (c) diwelf & ia=0A= ## do whatever the hell you want w/ this.=0A= ## diwelf@hotmail.com =0A= =0A= =0A= ## exterior interface rules=0A= ## dc0 =3D world nick=0A= =0A= =0A= # blocking of the RFC network addresses=0A= #=0A= block in quick on dc0 from 192.168.0.0/16 to any=0A= block in quick on dc0 from 172.16.0.0/12 to any=0A= #=0A= #log connection attemps to localnet=0A= #=0A= block in log quick on dc0 from 10.0.0.0/8 to any=0A= block in quick on dc0 from 127.0.0.0/8 to any=0A= block in quick on dc0 from 169.254.0.0/16 to any=0A= block in quick on dc0 from 192.0.2.0/24 to any=0A= block in quick on dc0 from 204.152.64.0/23 to any=0A= block in quick on dc0 from 224.0.0.0/3 to any=0A= =0A= # block internal network connectivity from the outside=0A= #=0A= #block in quick on dc0 from 10.0.0.0/8 to any =0A= =0A= =0A= # block spoofing from localhost=0A= #=0A= block out quick on dc0 from any to 192.168.0.0/16 =0A= block out quick on dc0 from any to 172.16.0.0/12=0A= block out quick on dc0 from any to 127.0.0.0/8=0A= block out quick on dc0 from any to 169.254.0.0/16 =0A= block out quick on dc0 from any to 192.0.2.0/24=0A= block out quick on dc0 from any to 204.152.64.0/23=0A= block out quick on dc0 from any to 224.0.0.0/3=0A= =0A= =0A= # log smurf attacks=0A= #=0A= block in log quick on dc0 from any to 10.0.0.0/32 =0A= block in log quick on dc0 from any to 10.0.0.255/32=0A= =0A= =0A= # for loopback to work=0A= #=0A= pass out quick on lo0 =0A= pass in quick on lo0=0A= =0A= =0A= # for ping and traceroute to work=0A= #=0A= pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 0=0A= pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 11=0A= =0A= =0A= # log other types of icmp attempts=0A= #=0A= block in log quick on dc0 proto icmp from any to any=0A= =0A= =0A= # allow ssh from outside and inside =0A= # =0A= #pass in quick on dc0 proto tcp from any to any port =3D 22=0A= pass in quick on rl0 proto tcp from 10.0.0.0/8 to any port =3D 22=0A= =0A= =0A= # allow in irc servers from outside to connect to ident=0A= pass in quick on dc0 proto tcp from any to any port =3D 113=0A= =0A= # allow in web from internal net=0A= #=0A= #pass in quick on rl0 proto tcp from 10.0.0.0/8 to 10.0.0.1 port =3D 80=0A= =0A= =0A= ## outside interface=0A= ##=0A= =0A= =0A= # allow out tcp/udp/icmp traffic and keep state=0A= pass out quick on dc0 proto tcp from any to any keep state=0A= pass out quick on dc0 proto udp from any to any keep state=0A= pass out quick on dc0 proto icmp from any to any keep state=0A= block out quick on dc0 all=0A= =0A= #allow bootp to MY dhcmp server=0A= pass in quick on dc0 proto udp from 24.2.9.105/32 to any port =3D 68 = keep state=0A= =0A= #block and log all remaining traffic coming into the firewall=0A= block return-rst in log quick on dc0 proto tcp from any to any=0A= block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp from = any to any=0A= block in log quick on dc0 all=0A= =0A= #inside interface=0A= #allow out all tcp/udp/icmp and keep state=0A= pass out quick on rl0 proto tcp from any to any keep state=0A= pass out quick on rl0 proto udp from any to any keep state=0A= pass out quick on rl0 proto icmp from any to any keep state=0A= block out quick on rl0 all=0A= =0A= #allow in tcp/udp/icmp traffic and keep state=0A= pass in quick on rl0 proto tcp from any to any keep state=0A= pass in quick on rl0 proto udp from any to any keep state=0A= pass in quick on rl0 proto icmp from any to any keep state=0A= block in quick on rl0 all=0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= =0A= ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: application/octet-stream; name="ipnat.rules" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="ipnat.rules" #for nat to work=0A= #map dc0 10.0.0.0/8 -> 0/32=0A= #rdr dc0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp=0A= =0A= =0A= =0A= =0A= # new test=0A= =0A= # port map=0A= #map dc0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025><65000=0A= # handle icmp, etc=0A= map dc0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000=0A= map dc0 10.0.0.0/24 -> 0/32 =0A= # make ipnat act as an ftp gateway (transparent)=0A= #map dc0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp =0A= =0A= =0A= ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: application/octet-stream; name="rc.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="rc.conf" =0A= # -- sysinstall generated deltas -- #=0A= # Created: Wed Aug 1 18:46:04 2001=0A= # Enable network daemons for user convenience.=0A= # This file now contains just the overrides from /etc/defaults/rc.conf=0A= # please make all changes to this file.=0A= amd_flags=3D"-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"=0A= check_quotas=3D"NO"=0A= font8x14=3D"NO"=0A= font8x16=3D"swiss-8x16"=0A= font8x8=3D"/usr/share/syscons/fonts/swiss-8x8"=0A= allscreens_flags=3D"-r green black VGA_80x30"=0A= gateway_enable=3D"YES"=0A= hostname=3D"cr642371-a"=0A= network_interfaces=3D"auto"=0A= ifconfig_lo0=3D"inet 127.0.0.1"=0A= ifconfig_dc0=3D"DHCP"=0A= ifconfig_rl0=3D"inet 10.0.0.1 netmask 255.0.0.0"=0A= ipfilter_enable=3D"YES"=0A= ipmon_enable=3D"YES"=0A= ipmon_flags=3D"-Dsvn"=0A= ipnat_enable=3D"YES"=0A= inetd_enable=3D"YES"=0A= kern_securelevel_enable=3D"NO"=0A= keyrate=3D"fast"=0A= nfs_client_enable=3D"NO"=0A= pccard_ifconfig=3D"NO"=0A= portmap_enable=3D"NO"=0A= sendmail_enable=3D"NO"=0A= ntpdate_enable=3D"NO"=0A= sshd_enable=3D"YES"=0A= =0A= syslogd_flags=3D"-ss"=0A= sshd_flags=3D"-4"=0A= =0A= update_motd=3D"NO"=0A= =0A= =0A= #nfs_client_enable=3D"YES"=0A= #nfs_client_flgs=3D"-n 4"=0A= =0A= =0A= moused_port=3D"/dev/cuaa0"=0A= moused_type=3D"logitech"=0A= moused_enable=3D"YES"=0A= # -- sysinstall generated deltas -- #=0A= saver=3D"star"=0A= blanktime=3D"240"=0A= ------=_NextPart_000_0009_01C12784.3F08EB40 Content-Type: application/octet-stream; name="sysctl.conf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="sysctl.conf" vfs.vmiodirenable=3D1=0A= kern.ipc.somaxconn=3D4096=0A= kern.maxfiles=3D65536=0A= net.inet.tcp.log_in_vain=3D1=0A= #net.inet.udp.log_in_vain=3D1=0A= =0A= net.inet.tcp.sendspace=3D32768=0A= net.inet.tcp.recvspace=3D32768=0A= net.inet.icmp.drop_redirect=3D1=0A= net.inet.icmp.log_redirect=3D1=0A= net.inet.ip.redirect=3D0=0A= net.inet.ip.sourceroute=3D0=0A= net.inet.ip.accept_sourceroute=3D0=0A= net.link.ether.inet.max_age=3D1200=0A= net.inet.icmp.bmcastecho=3D0=0A= =0A= ------=_NextPart_000_0009_01C12784.3F08EB40-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message