Date: Sat, 18 Aug 2001 01:22:28 -0400 From: "diwelf" <diwelf@gmx.net> To: <freebsd-stable@freebsd.org> Cc: "ipfilter list" <ipfilter@cairo.anu.edu.au> Subject: IPFilter problem on current cvs Message-ID: <000d01c127a5$c674b930$0200000a@jargon>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000A_01C12784.3F08EB40"
------=_NextPart_001_000A_01C12784.3F08EB40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
I'm running fbsd on my p133/32mb ram, 1.4gb hdd. I'm using it as a =
nat/ipf gateway for the rest of my network. My network is using =
10.0.0.0/24. Now, my problem is that every once in a while my box stops =
forwarding packets out from the firewall. So far, the only solution i've =
found is to reboot the box, but this is in no way a viable long term =
solution. I'm quite new to ipf/fbsd so i may be missing something minute =
somewhere. I've forwarded this messege to both the stable and ipf =
mailing lists just incase it's pertaining to freebsd or to ipf itself. =
I've included my sysctl.conf, kernel config file, rc.conf, ipf.rules, =
ipnat.rules for review. Thanks in advance
Matt Gibson
=20
#uname -a=20
FreeBSD cr642371-a 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Tue Aug 14 =
21:03:52 EDT 2001 root@cr642371-a:/usr/src/sys/compile/LINGO i386
-------------
He may look like an idiot and talk like an idiot but=20
don't let that fool you. He really is an idiot. -Groucho Marx
-------------
diwelf
diwelf@NOSPAM.gmx.net
------=_NextPart_001_000A_01C12784.3F08EB40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4807.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> I'm running fbsd on =
my p133/32mb=20
ram, 1.4gb hdd. I'm using it as a nat/ipf gateway for the rest of my =
network. My=20
network is using 10.0.0.0/24. Now, my problem is that every once in a =
while my=20
box stops forwarding packets out from the firewall. So far, the only =
solution=20
i've found is to reboot the box, but this is in no way a viable long =
term=20
solution. I'm quite new to ipf/fbsd so i may be missing something minute =
somewhere. I've forwarded this messege to both the stable and ipf =
mailing lists=20
just incase it's pertaining to freebsd or to ipf itself. I've =
included my=20
sysctl.conf, kernel config file, rc.conf, ipf.rules, ipnat.rules for =
review.=20
Thanks in advance</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> Matt=20
Gibson</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </FONT></DIV>
<DIV><FONT size=3D2><FONT face=3DArial>#uname -a </FONT></DIV>
<DIV>
<P>FreeBSD cr642371-a 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #0: Tue Aug =
14=20
21:03:52 EDT 2001 <A=20
href=3D"mailto:root@cr642371-a:/usr/src/sys/compile/LINGO">root@cr642371-=
a:/usr/src/sys/compile/LINGO</A>=20
i386</P></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-------------<BR>He may look like an =
idiot and talk=20
like an idiot but <BR>don't let that fool you. He really is an=20
idiot. -Groucho Marx<BR>-------------<BR>diwelf<BR><A=20
href=3D"mailto:diwelf@NOSPAM.gmx.net">diwelf@NOSPAM.gmx.net</A></FONT></D=
IV></BODY></HTML>
------=_NextPart_001_000A_01C12784.3F08EB40--
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: application/octet-stream;
name="KERNEL"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="KERNEL"
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.33 2001/07/30 17:31:40 =
wpaul Exp $
machine i386
cpu I586_CPU
ident LINGO =09
maxusers 512
options NMBCLUSTERS=3D65536
#makeoptions DEBUG=3D-g #Build kernel with gdb(1) debug symbols
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options MFS #Memory Filesystem
options MD_ROOT #MD is a potential root device
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS required
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=3D15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
device isa
device eisa
device pci
# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapifd # ATAPI floppy drives
options ATA_STATIC_ID #Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
options VESA
# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13
# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power Management
# Serial (COM) ports
device sio0 at isa? port IO_COM1 flags 0x10 irq 4
device sio1 at isa? port IO_COM2 irq 3
device sio2 at isa? disable port IO_COM3 irq 5
device sio3 at isa? disable port IO_COM4 irq 9
# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
# PCI Ethernet NICs.
device miibus # MII bus support
device dc # DEC/Intel 21143 and various workalikes
device rl # RealTek 8129/8139
pseudo-device loop #loop back
pseudo-device ether # Ethernet support
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: application/octet-stream;
name="ipf.rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ipf.rules"
## ipf config file. =0A=
## created august 16, 2001=0A=
## (c) diwelf & ia=0A=
## do whatever the hell you want w/ this.=0A=
## diwelf@hotmail.com =0A=
=0A=
=0A=
## exterior interface rules=0A=
## dc0 =3D world nick=0A=
=0A=
=0A=
# blocking of the RFC network addresses=0A=
#=0A=
block in quick on dc0 from 192.168.0.0/16 to any=0A=
block in quick on dc0 from 172.16.0.0/12 to any=0A=
#=0A=
#log connection attemps to localnet=0A=
#=0A=
block in log quick on dc0 from 10.0.0.0/8 to any=0A=
block in quick on dc0 from 127.0.0.0/8 to any=0A=
block in quick on dc0 from 169.254.0.0/16 to any=0A=
block in quick on dc0 from 192.0.2.0/24 to any=0A=
block in quick on dc0 from 204.152.64.0/23 to any=0A=
block in quick on dc0 from 224.0.0.0/3 to any=0A=
=0A=
# block internal network connectivity from the outside=0A=
#=0A=
#block in quick on dc0 from 10.0.0.0/8 to any =0A=
=0A=
=0A=
# block spoofing from localhost=0A=
#=0A=
block out quick on dc0 from any to 192.168.0.0/16 =0A=
block out quick on dc0 from any to 172.16.0.0/12=0A=
block out quick on dc0 from any to 127.0.0.0/8=0A=
block out quick on dc0 from any to 169.254.0.0/16 =0A=
block out quick on dc0 from any to 192.0.2.0/24=0A=
block out quick on dc0 from any to 204.152.64.0/23=0A=
block out quick on dc0 from any to 224.0.0.0/3=0A=
=0A=
=0A=
# log smurf attacks=0A=
#=0A=
block in log quick on dc0 from any to 10.0.0.0/32 =0A=
block in log quick on dc0 from any to 10.0.0.255/32=0A=
=0A=
=0A=
# for loopback to work=0A=
#=0A=
pass out quick on lo0 =0A=
pass in quick on lo0=0A=
=0A=
=0A=
# for ping and traceroute to work=0A=
#=0A=
pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 0=0A=
pass in quick on dc0 proto icmp from any to 10.0.0.0/8 icmp-type 11=0A=
=0A=
=0A=
# log other types of icmp attempts=0A=
#=0A=
block in log quick on dc0 proto icmp from any to any=0A=
=0A=
=0A=
# allow ssh from outside and inside =0A=
# =0A=
#pass in quick on dc0 proto tcp from any to any port =3D 22=0A=
pass in quick on rl0 proto tcp from 10.0.0.0/8 to any port =3D 22=0A=
=0A=
=0A=
# allow in irc servers from outside to connect to ident=0A=
pass in quick on dc0 proto tcp from any to any port =3D 113=0A=
=0A=
# allow in web from internal net=0A=
#=0A=
#pass in quick on rl0 proto tcp from 10.0.0.0/8 to 10.0.0.1 port =3D 80=0A=
=0A=
=0A=
## outside interface=0A=
##=0A=
=0A=
=0A=
# allow out tcp/udp/icmp traffic and keep state=0A=
pass out quick on dc0 proto tcp from any to any keep state=0A=
pass out quick on dc0 proto udp from any to any keep state=0A=
pass out quick on dc0 proto icmp from any to any keep state=0A=
block out quick on dc0 all=0A=
=0A=
#allow bootp to MY dhcmp server=0A=
pass in quick on dc0 proto udp from 24.2.9.105/32 to any port =3D 68 =
keep state=0A=
=0A=
#block and log all remaining traffic coming into the firewall=0A=
block return-rst in log quick on dc0 proto tcp from any to any=0A=
block return-icmp-as-dest(port-unr) in log quick on dc0 proto udp from =
any to any=0A=
block in log quick on dc0 all=0A=
=0A=
#inside interface=0A=
#allow out all tcp/udp/icmp and keep state=0A=
pass out quick on rl0 proto tcp from any to any keep state=0A=
pass out quick on rl0 proto udp from any to any keep state=0A=
pass out quick on rl0 proto icmp from any to any keep state=0A=
block out quick on rl0 all=0A=
=0A=
#allow in tcp/udp/icmp traffic and keep state=0A=
pass in quick on rl0 proto tcp from any to any keep state=0A=
pass in quick on rl0 proto udp from any to any keep state=0A=
pass in quick on rl0 proto icmp from any to any keep state=0A=
block in quick on rl0 all=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
=0A=
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: application/octet-stream;
name="ipnat.rules"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ipnat.rules"
#for nat to work=0A=
#map dc0 10.0.0.0/8 -> 0/32=0A=
#rdr dc0 10.0.0.0/8 port 6667 -> 127.0.0.1 port 7666 tcp=0A=
=0A=
=0A=
=0A=
=0A=
# new test=0A=
=0A=
# port map=0A=
#map dc0 10.0.0.0/8 -> 0/32 portmap tcp/udp 1025><65000=0A=
# handle icmp, etc=0A=
map dc0 10.0.0.0/24 -> 0/32 portmap tcp/udp 40000:60000=0A=
map dc0 10.0.0.0/24 -> 0/32 =0A=
# make ipnat act as an ftp gateway (transparent)=0A=
#map dc0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp =0A=
=0A=
=0A=
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: application/octet-stream;
name="rc.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="rc.conf"
=0A=
# -- sysinstall generated deltas -- #=0A=
# Created: Wed Aug 1 18:46:04 2001=0A=
# Enable network daemons for user convenience.=0A=
# This file now contains just the overrides from /etc/defaults/rc.conf=0A=
# please make all changes to this file.=0A=
amd_flags=3D"-a /.amd_mnt -l syslog /host /etc/amd.map /net /etc/amd.map"=0A=
check_quotas=3D"NO"=0A=
font8x14=3D"NO"=0A=
font8x16=3D"swiss-8x16"=0A=
font8x8=3D"/usr/share/syscons/fonts/swiss-8x8"=0A=
allscreens_flags=3D"-r green black VGA_80x30"=0A=
gateway_enable=3D"YES"=0A=
hostname=3D"cr642371-a"=0A=
network_interfaces=3D"auto"=0A=
ifconfig_lo0=3D"inet 127.0.0.1"=0A=
ifconfig_dc0=3D"DHCP"=0A=
ifconfig_rl0=3D"inet 10.0.0.1 netmask 255.0.0.0"=0A=
ipfilter_enable=3D"YES"=0A=
ipmon_enable=3D"YES"=0A=
ipmon_flags=3D"-Dsvn"=0A=
ipnat_enable=3D"YES"=0A=
inetd_enable=3D"YES"=0A=
kern_securelevel_enable=3D"NO"=0A=
keyrate=3D"fast"=0A=
nfs_client_enable=3D"NO"=0A=
pccard_ifconfig=3D"NO"=0A=
portmap_enable=3D"NO"=0A=
sendmail_enable=3D"NO"=0A=
ntpdate_enable=3D"NO"=0A=
sshd_enable=3D"YES"=0A=
=0A=
syslogd_flags=3D"-ss"=0A=
sshd_flags=3D"-4"=0A=
=0A=
update_motd=3D"NO"=0A=
=0A=
=0A=
#nfs_client_enable=3D"YES"=0A=
#nfs_client_flgs=3D"-n 4"=0A=
=0A=
=0A=
moused_port=3D"/dev/cuaa0"=0A=
moused_type=3D"logitech"=0A=
moused_enable=3D"YES"=0A=
# -- sysinstall generated deltas -- #=0A=
saver=3D"star"=0A=
blanktime=3D"240"=0A=
------=_NextPart_000_0009_01C12784.3F08EB40
Content-Type: application/octet-stream;
name="sysctl.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="sysctl.conf"
vfs.vmiodirenable=3D1=0A=
kern.ipc.somaxconn=3D4096=0A=
kern.maxfiles=3D65536=0A=
net.inet.tcp.log_in_vain=3D1=0A=
#net.inet.udp.log_in_vain=3D1=0A=
=0A=
net.inet.tcp.sendspace=3D32768=0A=
net.inet.tcp.recvspace=3D32768=0A=
net.inet.icmp.drop_redirect=3D1=0A=
net.inet.icmp.log_redirect=3D1=0A=
net.inet.ip.redirect=3D0=0A=
net.inet.ip.sourceroute=3D0=0A=
net.inet.ip.accept_sourceroute=3D0=0A=
net.link.ether.inet.max_age=3D1200=0A=
net.inet.icmp.bmcastecho=3D0=0A=
=0A=
------=_NextPart_000_0009_01C12784.3F08EB40--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000d01c127a5$c674b930$0200000a>