From owner-freebsd-net@FreeBSD.ORG  Sat Jul 12 12:53:08 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 487B137B401
	for <freebsd-net@freebsd.org>; Sat, 12 Jul 2003 12:53:08 -0700 (PDT)
Received: from mandarin.fruitsalad.org (pc117.net160.koping.net
	[81.16.160.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E6AD643F3F
	for <freebsd-net@freebsd.org>; Sat, 12 Jul 2003 12:53:05 -0700 (PDT)
	(envelope-from mdouhan@fruitsalad.org)
Received: from [192.168.15.240] (helo=192.168.15.240)
	by mandarin.fruitsalad.org with esmtp (Exim 4.14)
	id 19bQQb-0003v1-3X; Sat, 12 Jul 2003 21:53:05 +0200
From: Matt Douhan <mdouhan@fruitsalad.org>
To: rmkml <rmkml@wanadoo.fr>
Date: Sat, 12 Jul 2003 21:53:10 +0200
User-Agent: KMail/1.5.2
References: <200307122110.37349.mdouhan@fruitsalad.org>
	<3F106215.8E73129D@wanadoo.fr>
In-Reply-To: <3F106215.8E73129D@wanadoo.fr>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: clearsigned data
Content-Disposition: inline
Message-Id: <200307122153.17101.mdouhan@fruitsalad.org>
cc: freebsd-net@freebsd.org
Subject: Re: very strange problem
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jul 2003 19:53:08 -0000

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sorry for topposting but I will try and answer the requests one by one, I c=
an=20
only do FW1 today, and fw2 on monday, but here goes

>
> possible send tcpump record pb ?
> (example: tcpdump -ns 0 -i externalintf_fw1 -w all1.tcpdump
> and tcpdump -ns 0 -i externalintf_fw2 -w all2.tcpdump)

dump is pretty large so I did not want to email it, please download it from

http://www.fruitsalad.org/people/mdouhan/fw1.tar.gz

>
> possible send ipf -V (on two fw) ?

7:47pm mdouhan @ [firewall1] ~ > sudo ipf -V
ipf: IP Filter: v3.4.31 (336)
Kernel: IP Filter: v3.4.31
Running: yes
Log Flags: 0 =3D none set
Default: pass all, Logging: available
Active list: 0


>
> possible send ipfstat -nhio (on two fw) ?
>

7:49pm mdouhan @ [firewall1] ~ > sudo ipfstat -nhio
2073551 @1 pass out quick on fxp0 from any to any keep state
1038 @1 pass in quick on fxp0 proto icmp from any to any
1802016 @2 pass in quick on fxp0 from 192.168.254.242/32 to 192.168.15.250/=
32
1255 @3 pass in quick on fxp0 from 192.168.254.250/32 to 192.168.15.249/32
372304 @4 block in log quick on fxp0 from any to any



> possible send ipnat -slv (on two fw) ?

fw1 is not running NAT, will sedn this on monday when I get to fw2

>
> possible send netstat -ni ?
>

7:50pm mdouhan @ [firewall1] ~ > netstat -ni
Name    Mtu Network       Address              Ipkts Ierrs    Opkts Oerrs =
=20
Coll
fxp0   1500 <Link#1>      00:02:b3:cc:20:6e 45474907     0 46776572     0  =
  =20
0
fxp0   1500 192.168.254   192.168.254.1          612     -      673     -  =
  =20
=2D -
fxp0   1500 fe80:1::202:b fe80:1::202:b3ff:        0     -        0     -  =
  =20
=2D -
fxp1   1500 <Link#2>      00:02:b3:cc:1b:3f 47307566     3 45127446     0  =
  =20
0
fxp1   1500 192.168.15    192.168.15.254      184152     -    40018     -  =
  =20
=2D -
fxp1   1500 fe80:2::202:b fe80:2::202:b3ff:        0     -        0     -  =
  =20
=2D -
lp0*   1500 <Link#3>                               0     0        0     0  =
  =20
0
lo0   16384 <Link#4>                             528     0      528     0  =
  =20
0
lo0   16384 ::1/128       ::1                      0     -        0     -  =
  =20
=2D -
lo0   16384 fe80:4::1/64  fe80:4::1                0     -        0     -  =
  =20
=2D -
lo0   16384 127           127.0.0.1              528     -      528     -  =
  =20
=2D -




> possible send ifconfig -a ?
>

7:50pm mdouhan @ [firewall1] ~ > ifconfig -a
fxp0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D3<RXCSUM,TXCSUM>
        inet 192.168.254.1 netmask 0xffffff00 broadcast 192.168.254.255
        inet6 fe80::202:b3ff:fecc:206e%fxp0 prefixlen 64 scopeid 0x1
        ether 00:02:b3:cc:20:6e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
fxp1: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=3D3<RXCSUM,TXCSUM>
        inet 192.168.15.254 netmask 0xffffff00 broadcast 192.168.15.255
        inet6 fe80::202:b3ff:fecc:1b3f%fxp1 prefixlen 64 scopeid 0x2
        ether 00:02:b3:cc:1b:3f
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000


> possible dmesg ?
>

7:51pm mdouhan @ [firewall1] ~ > dmesg
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
=46reeBSD 5.1-CURRENT #2: Wed Jul  2 15:40:03 GMT 2003
    root@firewall1.internal.hasta.se:/usr/obj/usr/src/sys/FIREWALL1
Preloaded elf kernel "/boot/kernel/kernel" at 0xc052a000.
Preloaded elf module "/boot/kernel/acpi.ko" at 0xc052a1cc.
Timecounter "i8254"  frequency 1193182 Hz
Timecounter "TSC"  frequency 1799806528 Hz
CPU: Intel(R) Celeron(R) CPU 1.80GHz (1799.81-MHz 686-class CPU)
  Origin =3D "GenuineIntel"  Id =3D 0xf13  Stepping =3D 3
 =20
=46eatures=3D0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PG=
E,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM>
real memory  =3D 536805376 (511 MB)
avail memory =3D 515776512 (491 MB)
Pentium Pro MTRR support enabled
npx0: <math processor> on motherboard
npx0: INT 16 interface
acpi0: <AOpen  AWRDACPI> on motherboard
pcibios: BIOS version 2.10
Using $PIR table, 11 entries at 0xc00fdeb0
acpi0: power button is handled as a fixed feature programming model.
Timecounter "ACPI-fast"  frequency 3579545 Hz
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x4008-0x400b on acpi0
acpi_cpu0: <CPU> on acpi0
acpi_cpu1: <CPU> on acpi0
acpi_tz0: <thermal zone> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
pcib0: slot 29 INTA is routed to irq 12
pcib0: slot 29 INTB is routed to irq 11
pcib0: slot 29 INTC is routed to irq 12
pcib0: slot 29 INTD is routed to irq 10
pcib0: slot 31 INTB is routed to irq 11
pcib0: slot 31 INTB is routed to irq 11
agp0: <Intel 82845 host to AGP bridge> mem 0xe0000000-0xe3ffffff at device =
0.0=20
on pci0
pcib1: <PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
pcib0: slot 1 INTA is routed to irq 12
pcib1: slot 0 INTA is routed to irq 12
pci1: <display, VGA> at device 0.0 (no driver attached)
uhci0: <Intel 82801DB (ICH4) USB controller USB-A> port 0xd800-0xd81f irq 1=
2=20
at device 29.0 on pci0
usb0: <Intel 82801DB (ICH4) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 82801DB (ICH4) USB controller USB-B> port 0xd000-0xd01f irq 1=
1=20
at device 29.1 on pci0
usb1: <Intel 82801DB (ICH4) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 82801DB (ICH4) USB controller USB-C> port 0xd400-0xd41f irq 1=
2=20
at device 29.2 on pci0
usb2: <Intel 82801DB (ICH4) USB controller USB-C> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
pci0: <serial bus, USB> at device 29.7 (no driver attached)
pcib2: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci2: <ACPI PCI bus> on pcib2
pcib2: slot 7 INTA is routed to irq 11
pcib2: slot 9 INTA is routed to irq 10
fxp0: <Intel 82557/8/9 EtherExpress Pro/100(B) Ethernet> port 0xc000-0xc03f=
=20
mem 0xe9000000-0xe901ffff,0xe9041000-0xe9041fff irq 11 at device 7.0 on pci2
fxp0: Ethernet address 00:02:b3:cc:20:6e
miibus0: <MII bus> on fxp0
inphy0: <i82555 10/100 media interface> on miibus0
inphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
fxp1: <Intel 82557/8/9 EtherExpress Pro/100(B) Ethernet> port 0xc400-0xc43f=
=20
mem 0xe9020000-0xe903ffff,0xe9040000-0xe9040fff irq 10 at device 9.0 on pci2
fxp1: Ethernet address 00:02:b3:cc:1b:3f
miibus1: <MII bus> on fxp1
inphy1: <i82555 10/100 media interface> on miibus1
inphy1:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH4 UDMA100 controller> port=20
0xf000-0xf00f,0-0x3,0-0x7,0-0x3,0-0x7 at device 31.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
pci0: <multimedia, audio> at device 31.5 (no driver attached)
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> port=20
0x3f7,0x3f0-0x3f5 irq 6 drq 2 on acpi0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0 port 0x3f8-0x3ff irq 4 on acpi0
sio0: type 16550A
sio1 port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0 port 0x778-0x77b,0x378-0x37f irq 7 on acpi0
ppc0: Generic chipset (NIBBLE-only) in COMPATIBLE mode
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
orm0: <Option ROMs> at iomem 0xce000-0xcf7ff,0xcc000-0xcd7ff,0xc0000-0xca7f=
f=20
on isa0
pmtimer0 on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=3D0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounters tick every 10.000 msec
IP Filter: v3.4.31 initialized.  Default =3D pass all, Logging =3D enabled
acpi_cpu: throttling enabled, 2 steps (100% to 50.0%), currently 100.0%
ata1-master: timeout waiting for interrupt
ata1-master: ATAPI identify failed
ad0: 38166MB <WDC WD400BB-00DEA0> [77545/16/63] at ata0-master UDMA100
Mounting root from ufs:/dev/ad0s1a
IP Filter: already initialized
IP Filter: already initialized
fxp0: promiscuous mode enabled
fxp0: promiscuous mode disabled
fxp0: promiscuous mode enabled
fxp0: promiscuous mode disabled
fxp0: promiscuous mode enabled
fxp0: promiscuous mode disabled
7:51pm mdouhan @ [firewall1] ~ >


> Regard.
>
> Matt Douhan wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hello
> >
> > I am running FBSD on two firewalls in a scenario like below
> >
> > internet
> >
> > FW2
> >
> > DMZ
> >
> > FW1
> >
> > internal LAN
> >
> > FW1 is running ipf and fw2 is running ipf and ipnat
> >
> > hosts on the DMZ can access the internet without problems, ping
> > traceroute and mail, http all is working nicely and fast.
> >
> > hosts on the internal LAN however are seing VERY strange things
> >
> > for example, check this out
> >
> > 9:04pm mdouhan @ [persika] ~ > traceroute www.cisco.com
> > traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte
> > packets 1  192.168.15.254 (192.168.15.254)  0.698 ms  0.532 ms  0.410 ms
> > 2  192.168.254.254 (192.168.254.254)  0.781 ms  0.757 ms  0.744 ms 3=20
> > gw-l3-ktv-hc.koping.net (81.16.160.113)  1.210 ms  1.203 ms  1.263 ms 4=
=20
> > gw-l3-ktv-it.koping.net (81.16.160.6)  1.546 ms  4.123 ms  1.272 ms 5=20
> > rif3-r1-jvg-kop.arrowhead.com (81.216.90.1)  3.336 ms  2.813 ms  2.649 =
ms
> > 6  www.cisco.com (198.133.219.25)  1.278 ms  2.610 ms  1.962 ms
> >
> > the host "persika" is connected on the internal LAN, and is located in
> > Sweden, Europe and there is NO way it can get to www.cisco.com in 2-3 m=
s,
> > and I dont have any caching or proxies or anything, besides traceroute
> > does not care about that anyway AFAIK
> >
> > same traceroute from a host on the DMZ shows the correct thing as follo=
ws
> >
> > 9:05pm mdouhan @ [ananas] ~ > traceroute www.cisco.com
> > traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte
> > packets 1  firewall2 (192.168.254.254)  0.671 ms  0.458 ms  0.438 ms
> >  2  gw-l3-ktv-hc.koping.net (81.16.160.113)  0.901 ms  0.931 ms  0.878 =
ms
> >  3  gw-l3-ktv-it.koping.net (81.16.160.6)  1.416 ms  1.191 ms  1.388 ms
> >  4  rif3-r1-jvg-kop.arrowhead.com (81.216.90.1)  2.345 ms  2.080 ms=20
> > 2.705 ms 5  rif2-cr1-vf-kop.arrowhead.com (81.216.2.1)  1.973 ms  2.173
> > ms  2.263 ms 6  rif6-cr1-vf-vst.arrowhead.com (81.216.0.53)  3.785 ms=20
> > 2.708 ms  2.540 ms 7  rif3-cr1-vf-oby.arrowhead.com (213.187.195.97)=20
> > 3.363 ms  16.022 ms  3.862 ms
> >  8  rif47-rs1-t4-sto.arrowhead.com (213.187.195.93)  4.769 ms  4.396 ms=
=20
> > 3.999 ms
> >  9  rif5-cr3-kst-sto.arrowhead.com (81.216.0.137)  5.115 ms  4.624 ms=20
> > 4.762 ms
> > 10  Gi14-1-kst-p1.sto.se.sn.net (81.216.0.113)  4.496 ms  4.577 ms  4.6=
66
> > ms 11  pos2-0.vrt-p1.sto.se.sn.net (213.88.255.245)  4.687 ms  4.757 ms=
=20
> > 4.806 ms 12  sl-gw20-sto-2-1.sprintlink.net (80.77.97.89)  4.575 ms=20
> > 4.526 ms  4.576 ms 13  sl-bb21-sto-12-0.sprintlink.net (80.77.96.98)=20
> > 4.969 ms  5.132 ms  5.526 ms
> > 14  sl-bb21-cop-12-0.sprintlink.net (213.206.129.33)  14.034 ms *  13.9=
04
> > ms 15  sl-bb20-cop-15-0.sprintlink.net (80.77.64.33)  13.942 ms  13.498
> > ms 13.966 ms
> > 16  sl-bb21-msq-10-0.sprintlink.net (144.232.19.29)  91.125 ms  102.015
> > ms 93.908 ms
> > 17  sl-bb22-rly-15-3.sprintlink.net (144.232.19.98)  96.692 ms  95.680 =
ms
> > 96.615 ms
> > 18  sl-bb25-rly-12-0.sprintlink.net (144.232.14.166)  96.692 ms  95.879
> > ms 95.900 ms
> > 19  sl-bb23-sj-9-0.sprintlink.net (144.232.20.11)  227.115 ms  241.136 =
ms
> > 220.680 ms
> > 20  sl-bb25-sj-14-0.sprintlink.net (144.232.3.250)  181.269 ms  173.322
> > ms 164.253 ms
> > 21  sl-gw11-sj-10-0.sprintlink.net (144.232.3.134)  172.763 ms  172.362
> > ms 172.324 ms
> > 22  sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14)  166.180 ms=20
> > 166.028 ms 170.228 ms
> > 23  sjck-dirty-gw1.cisco.com (128.107.239.5)  164.721 ms  166.063 ms=20
> > 166.174 ms
> > 24  sjck-sdf-ciod-gw2.cisco.com (128.107.239.110)  172.908 ms  173.340 =
ms
> > 173.284 ms
> > 25  www.cisco.com (198.133.219.25)  174.149 ms  174.768 ms *
> >
> > now here is where it gets really weird, I have tries reinstalling FW1
> > since it seems to be the cause of the problem, I have tries STABLE,
> > CURRENT, 5.1-R all with the same result, it does NOT work.
> >
> > I have tried swapping FW1 and FW2 and the problem stays the same, so it
> > seems to be a misconfiguration on my part (or a bug but thats less like=
ly
> > I think) but I cannot figure out what it is.
> >
> > my rules are very simple
> >
> > on FW1 allow anything out on the external fxp interface with keep state
> > so it can get back in.
> >
> > on FW2 I have a number of BIMAP statements and some NAT statements, BIM=
AP
> > are for the servers where we provide services such as mail, www and ftp.
> >
> > Any input or ideas would be highly appreciated, this is driving me crazy
> >
> > - --
> > -
> > -----------------------------------------------------------------------=
=2D-
> >----------- Matt Douhan
> > www.fruitsalad.org
> > CCIE #4004
> > *** ping elvis ***
> > *** elvis is alive ***
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.2 (FreeBSD)
> >
> > iD8DBQE/EF0skU5PITZniCURArKOAJ9HuNWbWCJiV0PRMSpFCo5bv4P3aACfXhAn
> > 9G8PqZQeZZ8RUIABr12VA5Q=3D
> > =3DKda6
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

=2D --=20
=2D -----------------------------------------------------------------------=
=2D------------
Matt Douhan
www.fruitsalad.org
CCIE #4004
*** ping elvis ***
*** elvis is alive ***
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/EGcskU5PITZniCURAloQAKC24SRdbrYOM6a1oCEM9nLBiQEmfACfcrVM
Y0jjV2L902CxGFgjkZ/Uoeo=3D
=3DHE41
=2D----END PGP SIGNATURE-----