Date: Tue, 2 May 2000 11:44:52 +0200 From: "Lowkrantz, Goran" <Goran.Lowkrantz@infologigruppen.se> To: "'freebsd-stable@FreeBSD.ORG'" <freebsd-stable@FreeBSD.ORG> Subject: Strange firewall - DMZ interference Message-ID: <B500F74C6527D311B61F0000C0DF5ADC263025@valhall.ign.se>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: text/plain;
charset="iso-8859-1"
I'm totaly at loss over a firewall system I have been running for almost a
year on 3-STABLE and when I upgrade to 4-STABLE it just seems to go bananas.
Configuration
Internet
|xl0 - 212.214.163.69/32
+---+---+xl1 +-----+
| FW1 +----+ DMZ | - 212.214.162.32/24
+---+---+ +-----+
|xl2 - 192.168.99.1/30
|de2 - 192.168.99.2/30
+---+---+
| FW2 |
---+----+
|
Internal
net
In the DMZ I have one apache servers with a couple of virtual servers, both
name and IP based. On FW1 is another apache but this is configured to
forward all requests to other web servers using mod_proxy.
My problem is that FW1 accepts all connections to the DMZ! Whatever I do
from internet, ping, traceroute, ssh, ftp, www, you name it, FW1 responds
even when I use specific IP addresses that have hosts on the DMZ.
I have attached all information I can think of. Please help, I have run out
of ideas.
Cheers,
GLZ
----
Goran Lowkrantz Email : goran.lowkrantz@infologigruppen.se
Infologigruppen Alfa AB Telephone: Nat 070-587 8782 Fax: Nat 070-615
8782
Box 202 Int +46 70-587 8782 Int +46 70-615
8782
941 25 Pitea, Sweden
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: text/plain;
name="ifconfig.txt"
Content-Disposition: attachment;
filename="ifconfig.txt"
> ifconfig -a
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 212.214.163.69 netmask 0xffffffc0 broadcast 212.214.163.127
ether 00:10:5a:d5:59:bd
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 212.214.162.33 netmask 0xfffffff0 broadcast 212.214.162.47
ether 00:10:5a:d5:58:29
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
xl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.99.1 netmask 0xfffffffc broadcast 192.168.99.3
ether 00:10:5a:d5:58:2f
media: autoselect (100baseTX <full-duplex>) status: active
supported media: autoselect 100baseTX <full-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 100baseTX <hw-loopback>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: text/plain;
name="netstat.txt"
Content-Disposition: attachment;
filename="netstat.txt"
> netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 212.214.163.65 UGSc 96 7210 xl0
localhost localhost UH 4 856 lo0
192.168/16 modgunn-net.ign.se UGSc 5 3000 xl2
192.168.99/30 link#3 UC 0 0 xl2 =>
modgunn-net.ign.se 0:80:c8:f8:48:93 UHLW 7 344 xl2 1072
192.168.99.3 ff:ff:ff:ff:ff:ff UHLWb 0 8 xl2
212.214.162.32/32 bifrost UGSc 0 0 xl1 =>
212.214.162.32/28 link#2 UC 0 0 xl1 =>
bifrost 0:10:5a:d5:58:29 UHLW 1 0 lo0
infowire 0:10:5c:ab:1f:20 UHLW 2 60 xl1 1064
balder 0:10:5a:d5:59:1a UHLW 0 120 xl1 22
212.214.162.47 ff:ff:ff:ff:ff:ff UHLWb 1 19 xl1
212.214.163.64/26 link#1 UC 0 0 xl0 =>
212.214.163.65 0:50:da:dc:a0:84 UHLW 94 0 xl0 1072
212.214.163.127 ff:ff:ff:ff:ff:ff UHLWb 1 16 xl0
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: text/plain;
name="ipfw.txt"
Content-Disposition: attachment;
filename="ipfw.txt"
# -- ipfw - firewall
firewall_enable=YES
firewall_type="/etc/ipfw.conf"
# -- natd - network address translation
natd_enable=YES
natd_interface="xl0"
natd_flags="-f /etc/natd.conf"
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: application/octet-stream;
name="ipfw.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ipfw.conf"
add deny all from 192.168.0.0:255.255.0.0 to any in via xl0=0A=
add deny all from 212.214.162.32:255.255.255.240 to any in via xl0=0A=
add deny all from 192.168.0.0:255.255.0.0 to any in via xl1=0A=
add deny all from 212.214.163.0:255.255.255.192 to any in via xl1=0A=
add deny all from 212.214.163.0:255.255.255.192 to any in via xl2=0A=
add deny all from 212.214.162.32:255.255.255.240 to any in via xl2=0A=
add deny tcp from any to any 194 out via xl0=0A=
add deny udp from any to any 194 out via xl0=0A=
add deny tcp from any to any 529 out via xl0=0A=
add deny udp from any to any 529 out via xl0=0A=
add deny all from 0.0.0.0/8 to any via xl0=0A=
add deny all from any to 0.0.0.0/8 via xl0=0A=
add deny all from 169.254.0.0/16 to any via xl0=0A=
add deny all from any to 169.254.0.0/16 via xl0 =0A=
add deny all from 192.0.2.0/24 to any via xl0=0A=
add deny all from any to 192.0.2.0/24 via xl0=0A=
add deny all from 224.0.0.0/4 to any via xl0=0A=
add deny all from any to 224.0.0.0/4 via xl0=0A=
add deny all from 240.0.0.0/4 to any via xl0=0A=
add deny all from any to 240.0.0.0/4 via xl0=0A=
add deny all from 0.0.0.0/8 to any via xl0=0A=
add deny all from any to 0.0.0.0/8 via xl0=0A=
add deny all from 169.254.0.0/16 to any via xl0=0A=
add deny all from any to 169.254.0.0/16 via xl0 =0A=
add deny all from 192.0.2.0/24 to any via xl0=0A=
add deny all from any to 192.0.2.0/24 via xl0=0A=
add deny all from 224.0.0.0/4 to any via xl0=0A=
add deny all from any to 224.0.0.0/4 via xl0=0A=
add deny all from 240.0.0.0/4 to any via xl0=0A=
add deny all from any to 240.0.0.0/4 via xl0=0A=
add allow tcp from any to any established=0A=
add pass all from any to any frag=0A=
add allow tcp from any to any 22 setup=0A=
add allow tcp from any to 212.214.163.69 20 setup=0A=
add allow tcp from any to 212.214.163.69 21 setup=0A=
add allow tcp from any to 212.214.162.35 25 setup=0A=
add allow tcp from any to 212.214.163.69 25 setup=0A=
add allow tcp from any to 212.214.163.69 25 setup=0A=
add allow tcp from any to 192.168.3.1 25 setup out via xl2=0A=
add allow tcp from 212.214.162.35 to 192.168.3.1 25 in via xl1=0A=
add allow tcp from 212.214.162.35 to any 25 in via xl1=0A=
add allow tcp from 212.214.162.35 to any 25 out via xl0=0A=
add allow tcp from 212.214.163.69 to any 25 out via xl0=0A=
add deny log tcp from 192.168.3.1 25 to any out via xl0=0A=
add allow tcp from any to 212.214.162.35 53 setup=0A=
add allow tcp from any to 212.214.163.69 53 setup=0A=
add allow tcp from 212.214.163.69 to any 53 out via xl0=0A=
add allow tcp from any to 212.214.162.34 80 setup=0A=
add allow tcp from any to 212.214.162.35 80 setup=0A=
add allow tcp from any to 212.214.163.69 80 setup=0A=
add allow tcp from 192.168.0.0:255.255.0.0 to any 80 in via xl2=0A=
add allow tcp from 212.214.163.69 to any 80 out via xl0=0A=
add allow tcp from any to 212.214.162.34 443 setup=0A=
add allow tcp from any to 212.214.162.35 443 setup=0A=
add allow tcp from any to 212.214.163.69 443 setup=0A=
add allow log tcp from 193.44.171.39 to 212.214.163.69 1173 setup=0A=
add unreach port tcp from any to any 113 in via xl0=0A=
add deny log tcp from any to any in via 212.214.163.69 setup=0A=
add deny tcp from any to any 139 in recv xl0=0A=
add allow tcp from any to any via xl1=0A=
add allow tcp from any to any via xl2=0A=
add allow tcp from any to any out via xl0=0A=
add allow udp from 192.168.0.0/16 to 192.168.0.0/16=0A=
add allow udp from 192.168.0.0/16 to 212.214.162.32/28=0A=
add allow udp from 212.214.162.32/28 to 192.168.0.0/16=0A=
add allow udp from 212.214.162.32/28 to 212.214.162.32/28=0A=
add allow udp from any 53 to any=0A=
add allow udp from any to any 53=0A=
add allow udp from any 123 to 212.214.163.69=0A=
add allow udp from any 123 to 212.214.163.255=0A=
add allow udp from 212.214.163.69 to any 123=0A=
add allow udp from any 123 to 212.214.162.33=0A=
add allow udp from any 123 to 212.214.162.47=0A=
add allow udp from 212.214.162.33 to any 123=0A=
add allow udp from any 123 to 192.168.99.1=0A=
add allow udp from any 123 to 192.168.99.3=0A=
add allow udp from 192.168.99.1 to any 123=0A=
add allow udp from any 513 to 192.168.99.1=0A=
add allow udp from any 513 to 192.168.99.3=0A=
add allow udp from 192.168.99.1 to any 513=0A=
add allow udp from any 513 to 212.214.162.35=0A=
add allow udp from 212.214.162.35 to any 513=0A=
add allow udp from any 513 to 212.214.162.33=0A=
add allow udp from 212.214.162.33 to any 513=0A=
add deny udp from any to any 67 in via xl0=0A=
add deny udp from any to any 513 via xl0=0A=
add deny udp from any to any 137 in recv xl0=0A=
add deny udp from any to any 137 in recv xl1=0A=
add deny udp from any to any 138 in recv xl0=0A=
add deny udp from any to any 138 in recv xl1=0A=
add allow udp from any to any out via xl0=0A=
add allow udp from any to any via xl2=0A=
add allow icmp from any to any via xl2=0A=
add allow icmp from any to any via xl1=0A=
add allow icmp from any to any out via xl0=0A=
add allow icmp from any to any in via xl0 icmptypes =
0,3,4,8,11,12,14,15,16,17,18,30,31=0A=
add deny icmp from any to any in via xl0=0A=
add deny log ip from any to any=0A=
------_=_NextPart_000_01BFB41B.107B0C3D
Content-Type: application/octet-stream;
name="natd.conf"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="natd.conf"
#=0A=
# NATD Config file for BIFROST=0A=
#=0A=
log yes=0A=
log_denied yes=0A=
use_sockets yes=0A=
same_ports yes=0A=
unregistered_only yes=0A=
dynamic yes=0A=
------_=_NextPart_000_01BFB41B.107B0C3D--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B500F74C6527D311B61F0000C0DF5ADC263025>