Date: Tue, 29 Jul 2003 19:24:19 -0600 From: "William Knechtel" <webmaster@endikos.com> To: freebsd-net@freebsd.org Subject: RE: Help with FreeBSD Bridged Firewall Message-ID: <000801c35639$4c761ec0$c5ccead8@ONESIMUS> In-Reply-To: <000701c35635$66bdb530$c5ccead8@ONESIMUS>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_endikos.com-10147-1059547727-0001-2 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Per a list members request, I've attached dumps of the following commands: arp -a netstat -m ipfw show ifconfig netstat -s netstat -i One caveat, I've hidden all IP addresses that could be used to divine my netblock... I guess I'm a little paranoid about people inspecting my firewall configuration :-) <MYHOST1> and <MYHOST2> are public (routable) IP addresses of the two machines I have behind the firewall. One additional note. Since I first composed this message early this afternoon, the responsiveness of the internal NIC on the firewall has bounced up and down a bit. Here's a bit of a log of it's activity: 11:57 DOWN 12:06 UP (reboot) 12:26 DOWN 2:18 UP 3:14 DOWN 5:43 UP The odd thing is that it's been in operating fine for a few months now (it's a fairly new installation), and the last change I made to the firewalls config was well over a week ago. I hope this helps figure out what's going on!! Thanks in advance for your help. Kindest Regards, Bill > -----Original Message----- > From: owner-freebsd-net@freebsd.org > [mailto:owner-freebsd-net@freebsd.org]On Behalf Of William Knechtel > Sent: Tuesday, July 29, 2003 6:56 PM > To: freebsd-net@freebsd.org > Subject: Help with FreeBSD Bridged Firewall > > > Hello! > > Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged > firewall. I've got a private IP 10.0.0.1 tied to the internal card on the > box for remote management. The firewall blocks any 10.x traffic > coming in on > the external card, so to remotely admin it, I have to shell into a machine > on the same isolated network segment that it's on, and then shell > over from > that machine. > > Today around noon, the machine suddenly stopped responding to > pings. I went > down to the server room and couldnt find anything wrong. No notes on the > console screen, no anomalous entries in the security or message > logs. So, in > the interest of getting it back up quickly, I rebooted it. That worked. > About an hour later, the same thing happened... my network > monitor tells me > that it's not responding to pings. So before I go down to the > server room, I > run a few tests... the firewall is still blocking packets like a champ. I > run nmap against a host the firewall protects, and everything comes back > fine. But when I go downstairs to the console, I can't ping out to it's > 10.0.0.2 buddy, and no incoming pings work either. I'm at a loss > on how to > troubleshoot this, folks. I could really use a few ideas, so please send > them along! > > Thanks in Advance! > Bill > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > --=_endikos.com-10147-1059547727-0001-2 Content-Type: text/plain; name="dumps.txt"; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="dumps.txt" # arp -a ? (10.0.0.1) at 00:01:53:80:e2:40 on dc0 permanent [ethernet] ? (10.0.0.2) at 00:02:b3:a8:3d:2b on dc0 [ethernet] # netstat -m 129/160/4992 mbufs in use (current/peak/max): 129 mbufs allocated to data 128/136/1248 mbuf clusters in use (current/peak/max) 312 Kbytes allocated to network (8% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines # ipfw show 00100 24 1824 allow udp from 132.239.1.6 123 to <MYHOST1> 123 00200 23 1748 allow udp from 128.194.254.9 123 to <MYHOST1> 123 00300 24 1824 allow udp from 192.43.244.18 123 to <MYHOST1> 123 00400 24 1824 allow udp from 128.138.140.44 123 to <MYHOST1> = 123 00500 0 0 allow udp from 132.239.1.6 123 to <MYHOST2> 123 00600 0 0 allow udp from 128.194.254.9 123 to <MYHOST2> 123 00700 0 0 allow udp from 192.43.244.18 123 to <MYHOST2> 123 00800 0 0 allow udp from 128.138.140.44 123 to <MYHOST2> = 123 00900 0 0 deny ip from 127.0.0.0/8 to any via vr0 01000 1316 132222 deny ip from 10.0.0.0/8 to any via vr0 01100 512 65098 deny ip from 192.168.0.0/16 to any via vr0 01200 0 0 deny ip from 172.16.0.0/16 to any via vr0 01300 6363 1136947 allow ip from 10.0.0.0/28 to any via dc0 01400 5952 374220 allow ip from any to any via lo* 01500 214096 106791094 allow ip from X.X.211.64/26 to any 01600 176 21124 allow ip from X.X.122.180 to any 01700 703 33825 allow icmp from any to any 01800 898 130784 allow ip from X.X.204.192/28 to any 01900 0 0 allow ip from X.X.211.68 to any 02000 51768 7784246 allow ip from any to X.X.255.255 02100 0 0 allow tcp from any to <MYHOST1> 53 02200 0 0 allow udp from any to <MYHOST1> 53 02300 11915 2725386 allow tcp from any to <MYHOST1> 80 02400 0 0 allow udp from any to <MYHOST1> 80 02500 659 444559 allow tcp from any to <MYHOST1> 25 02600 0 0 allow udp from any to <MYHOST1> 25 02700 0 0 allow tcp from any to <MYHOST1> 110 02800 0 0 allow udp from any to <MYHOST1> 110 02900 0 0 allow tcp from any to <MYHOST1> 143 03000 0 0 allow udp from any to <MYHOST1> 143 03100 0 0 deny tcp from any to <MYHOST1> 3306 03200 0 0 deny udp from any to <MYHOST1> 3306 03300 0 0 deny tcp from any to <MYHOST1> 6101 03400 0 0 deny tcp from any to <MYHOST1> 8192 03500 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 53 03600 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 88 03700 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 135 03800 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 137 03900 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 138 04000 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 139 04100 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 389 04200 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 445 04300 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 464 04400 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 636 04500 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 3268 04600 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 3269 04700 168 13430 allow tcp from X.X.33.84 to <MYHOST2> 389 04800 0 0 allow udp from X.X.33.84 to <MYHOST2> 389 04900 8 643 allow tcp from X.X.33.75 to <MYHOST2> 389 05000 0 0 allow udp from X.X.33.75 to <MYHOST2> 389 05100 0 0 allow ip from X.X.15.22 to <MYHOST2> 05200 0 0 allow ip from X.X.15.41 to <MYHOST2> 05300 0 0 allow ip from X.X.15.25 to <MYHOST2> 05400 0 0 allow tcp from X.X.15.15 to <MYHOST2> 53 05500 0 0 allow tcp from X.X.15.16 to <MYHOST2> 53 05600 7565 303432 deny tcp from any to X.X.211.64/26 setup 05700 227 18147 allow tcp from any to X.X.211.64/26 1024-65535 05800 364 89403 allow udp from any to X.X.211.64/26 1024-65535 05900 24660 2746580 deny log ip from any to any 65535 17 997 deny ip from any to any # ifconfig dc0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu = 1500 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 00:01:53:80:e2:40 media: Ethernet autoselect (100baseTX <full-duplex>) status: active vr0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu = 1500 ether 00:e0:4c:9c:83:1a media: Ethernet autoselect (100baseTX <full-duplex>) status: active lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 ppp0: flags=3D8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=3Dc010<POINTOPOINT,LINK2,MULTICAST> mtu 552 faith0: flags=3D8002<BROADCAST,MULTICAST> mtu 1500 tcp: 1632 packets sent 482 data packets (396644 bytes) 12 data packets (12480 bytes) retransmitted 0 resends initiated by MTU discovery 760 ack-only packets (3 delayed) 0 URG only packets 0 window probe packets 0 window update packets 378 control packets 2001 packets received 838 acks (for 396325 bytes) 2 duplicate acks 0 acks for unsent data 824 packets (388527 bytes) received in-sequence 0 completely duplicate packets (0 bytes) 0 old duplicate packets 0 packets with some dup. data (0 bytes duped) 0 out-of-order packets (0 bytes) 0 packets (0 bytes) of data after window 0 window probes 367 window update packets 0 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 4 connection requests 371 connection accepts 0 bad connection attempts 0 listen queue overflows 373 connections established (including accepts) 374 connections closed (including 2 drops) 0 connections updated cached RTT on close 0 connections updated cached RTT variance on close 0 connections updated cached ssthresh on close 2 embryonic connections dropped 838 segments updated rtt (of 472 attempts) 24 retransmit timeouts 2 connections dropped by rexmit timeout 0 persist timeouts 0 connections dropped by persist timeout 0 keepalive timeouts 0 keepalive probes sent 0 connections dropped by keepalive 22 correct ACK header predictions 412 correct data packet header predictions 371 syncache entries added 0 retransmitted 0 dupsyn 0 dropped 371 completed 0 bucket overflow 0 cache overflow 0 reset 0 stale 0 aborted 0 badack 0 unreach 0 zone failures 0 cookies sent 0 cookies received udp: 1504 datagrams received 0 with incomplete header 0 with bad data length field 0 with bad checksum 0 with no checksum 1502 dropped due to no socket 2 broadcast/multicast datagrams dropped due to no socket 0 dropped due to full socket buffers 0 not for hashed pcb 0 delivered 1503 datagrams output ip: 44537 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size < data length 0 with ip length > max ip packet size 0 with header length < data size 0 with data length < header length 0 with bad options 0 with incorrect version number 0 fragments received 0 fragments dropped (dup or out of space) 0 fragments dropped after timeout 0 packets reassembled ok 3743 packets for this host 1503 packets for unknown/unsupported protocol 0 packets forwarded (0 packets fast forwarded) 26203 packets not forwardable 35 packets received for unknown multicast group 0 redirects sent 4891 packets sent from this host 0 packets sent with fabricated ip header 0 output packets dropped due to no bufs, etc. 0 output packets discarded due to no route 0 output datagrams fragmented 0 fragments created 0 datagrams that can't be fragmented 0 tunneling packets that can't find gif 0 datagrams with bad address in header icmp: 1502 calls to icmp_error 0 errors not generated 'cuz old message was icmp Output histogram: echo reply: 231 destination unreachable: 1502 0 messages with bad code fields 0 messages < minimum length 0 bad checksums 0 messages with bad length 1 multicast echo requests ignored 0 multicast timestamp requests ignored Input histogram: echo reply: 4 destination unreachable: 1502 echo: 232 231 message responses generated 0 invalid return addresses 0 no return routes ICMP address mask responses are disabled igmp: 0 messages received 0 messages received with too few bytes 0 messages received with bad checksum 0 membership queries received 0 membership queries received with invalid field(s) 0 membership reports received 0 membership reports received with invalid field(s) 0 membership reports received for groups to which we belong 0 membership reports sent -- Bridging statistics (bdg) -- Name In Out Forward Drop Bcast Mcast Local = Unknown dc0:1 155257 296115 136083 0 345 15217 2203 = 1409 vr0:1 315444 153056 114414 0 179526 19433 0 = 2071 # netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs = Coll dc0 1500 <Link#1> 00:01:53:80:e2:40 155605 0 297006 0 = 0 dc0 1500 10/24 10.0.0.1 5273 - 4916 - = - vr0 1500 <Link#2> 00:e0:4c:9c:83:1a 316350 0 153370 0 = 0 lp0* 1500 <Link#3> 0 0 0 0 = 0 lo0 16384 <Link#4> 3104 0 3104 0 = 0 lo0 16384 your-net localhost 48 - 48 - = - ppp0* 1500 <Link#5> 0 0 0 0 = 0 sl0* 552 <Link#6> 0 0 0 0 = 0 faith 1500 <Link#7> 0 0 0 0 = 0 --=_endikos.com-10147-1059547727-0001-2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c35639$4c761ec0$c5ccead8>