Date: Thu, 13 Dec 2001 11:59:46 -0800 (PST) From: Donnie Jones <donniejones18@yahoo.com> To: Walter McGinnis <wtem@olywa.net> Cc: freebsd-questions@freebsd.org Subject: Re: upgrade from 4.0 to 4.4 cablem firewall/router ssh problems Message-ID: <20011213195946.57620.qmail@web20610.mail.yahoo.com> In-Reply-To: <v04220800b83e9f5ac337@[165.247.209.222]>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Walter McGinnis <wtem@olywa.net> wrote: > At 5:38 AM -0800 12/13/01, Donnie Jones wrote: > > > Previously, I was able to ssh to remote hosts > from > > > my LAN behind my > > > FreeBSD box, after the upgrade and resumption > of > > > cable service I > > > can't. I can ssh between boxes on the LAN and > from > > > the > > > router/firewall to remote hosts. > > > > > > TIA, > > > > > > Walter McGinnis > > > > > >What rules do you have set up in your firewall? > > I'm using natd and ipfw. I'm starting with a an > open script for the > firewall until I get this resolved: > > # ipfw list > 00100 divert 8668 ip from any to any via xl0 > 00101 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 03000 allow log logamount 100 ip from any to any > 65535 deny ip from any to any > > The 65535 rule concerns me, but I suspect is as a > result of the > kernel being set to deny by default. Even after a > manual flush it > persists. The other explicit rules that I write > overrule 65535, > right? > > > Maybe > >you should move the firewall rules file somewhere > else > >and put a new one there that is blank, in order to > >enable the firewall to pass everything through. > > This what I've done: > > from rc.conf: > gateway_enable="YES" > router_enable="YES" > router="routed" > router_flags="-q" > tcp_extensions="NO" > forward_sourceroute="NO" > accept_sourceroute="NO" > hostname="2512-13A.attbi.com" > firewall_enable="YES" > firewall_script="/etc/firewall-1" > firewall_quiet="NO" > natd_enable="YES" > natd_flags="-f /etc/natd.conf" > defaultrouter="12.232.151.1" > network_interfaces="xl0 lo0 rl0" > ifconfig_xl0="inet 12.232.151.171 netmask > 255.255.255.0" > ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0" > inetd_enable="NO" > sshd_enable="YES" > sendmail_enable="NO" > kern_securelevel="NO" > ... (about if exept mouse, linux,and network time > stuff" > > in firewall-1 are all the rules except 635535. > > from natd.conf: > > port 8668 > # same_ports > # unregistered_only > interface xl0 > redirect_port tcp 10.0.0.10:8000-9000 8000-9000 > redirect_port tcp 10.0.0.10:80 80 > # dynamic > > > >Do > >your pc's on the LAN have access to the internet? > or > >are you only using them for ssh? > > I had email and web access from my LAN boxes behind > the router as of > last night, but this morning not even the router has > WAN > web/email/ping/ssh access. I suspect it is because > the defaultrouter > (i.e. AT&T's gateway) has gone down and routed is > unable to set up > routing tables (netstat -r comes up with nothing and > I get console > messages from natd that the host is down). Note > that all the lights > on the modem are showing correct status and I > powercycled the bastard > for good measure (turn off power, unplug power > supply and ethernet > cable, leave off for a minute, plug power in, watch > the pretty lights > return to normal, plug ethernet back in). I've also > switched xl0 to > "DHCP" incase I lost my lease, but that doens't work > at reboot > either. An interesting point is that I did at one > time get DHCP to > work and I wrote down the IP of gateway, name > server, and my box just > in case, which is what I had working last night. I > was told that the > DHCP lease was for 24 hours and it has definitely > been less than that > and besides that I'm unable to get any thing from > DHCP. > > That being said, I'm able to ping/ssh my internal > boxes from the > router and the other way around on the internal > network (10.0.0...) > > Another thing of note is that /etc/defaults/rc.conf > seems to override > arbitrary /etc/rc.conf settings. I've commented out > duplicate lines > in /etc/defaults/rc.conf and things began to work > (well except for > the ssh problem of the original post) when they > were. My > understanding is that I shouldn't have to touch > /etc/defaults/rc.conf > only /etc/rc.conf, what the hell is going on with > that? > > >Also, any configuration files you have, such as > your > >rc.conf and your firewall rules file may be helpful > to > >us in answering your questions. > > > >Sorry I can't help more.. yet. > > >-Donnie > > I look forward to your answers. I've been pulling > my hair out for days now... > > Walter McGinnis > Well, I think I have it for you. :) I believe you had the exact same problem as I did when I set up my router a few days ago. Add these lines to your rc.conf: ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" Remove the other lines concerning the firewall and leave ipf.rules empty, but do create the file. I hope this is the fix you needed because mine LAN was doing the exact same thing. Good luck. -Donnie __________________________________________________ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213195946.57620.qmail>