Date: Mon, 9 Feb 2004 09:37:46 -0600 From: listmail@brightstar.ath.cx To: freebsd-questions@freebsd.org Subject: Server connectivity problem (firewall?) Message-ID: <402754EA.22800.187E1419@localhost>
next in thread | raw e-mail | index | archive | help
Hardware setup:
MSN <--> DSL <--> [ (nic rl0) fbsd (nic dc0) ] <--> lan
----------
The problem:
Any operation initiating within the FBSD box works normally
(such as nslookup, web surfing, and so on). Additionally, any operations
initated on the LAN side (pings, web surfing, etc.) work just fine
including browser accesses to the FBSD box's httpd and telnet to the
FBSD box.
However, incoming tcp packets on rl0, such as initiating telnet
connection or packets to apache, smtp connections to sendmail, are
refused (except ping/echo which works just fine). From dc0 all works
well. I can't figure out why they are being refused. From the tcpdump it
appears that they're making it to the FBSD machine (note that they are
also originated from the same FBSD machine, so they're just going out
and looping right back.) the Apache httpd and sendmail both run as a
daemons. All other services are launched by xinetd (I've checked xinetd
- it's ok and works well from the LAN side).
I've included sample sessions with tcpdump output, firewall
rules, etc. below. Any help at all is greatly appreciated.
Thanx
================
>From /etc/rc.conf:
firewall_enable="YES" # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the
firewall
firewall_type="OPEN" # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO" # Set to YES to suppress rule display
firewall_logging="YES" # Set to YES to enable events logging
firewall_flags="" # Flags passed to ipfw when type is a file
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags="" # additional flags for ipfilter
----------------------------------
Firewall rules:
brightstar# ipfw show
00050 298 29652 divert 8668 ip from any to any via rl0
00100 12 1464 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
65000 2281 207561 allow ip from any to any
----------------------------------
IPF is also running (I can't recall why) with the following rules:
pass in all
pass out all
If I remove it from rc.conf I lose the ability to contect via dc0 as well.
================
Example connection attempts:
-----------------------------------
Using telnet port 23:
brightstar# telnet 64.131.171.14
Trying 64.131.171.14...
telnet: connect to address 64.131.171.14: Connection refused
telnet: Unable to connect to remote host
brightstar#
Results of tcpdump -i rl0 port 23
tcpdump: listening on rl0
08:44:40.250722 192.168.1.2.iad1 > 64-131-171-
14.mpls.qwest.net.telnet: S 3491920571:3491920571(0) win 57344
<mss 1460,nop,wscale 0,nop,nop,timestamp 149293 0> (DF) [tos 0x10]
08:44:40.251782 64-131-171-14.mpls.qwest.net.telnet >
192.168.1.2.iad1: FR 0:0(0) ack 3491920572 win 0 (DF) [tos 0x10]
brightstar#
---------------------------------------------
Using telnet port 80:
brightstar# telnet 64.131.171.14 80
Trying 64.131.171.14...
Connected to 64-131-171-14.mpls.qwest.net.
Escape character is '^]'.
Connection closed by foreign host.
brightstar#
Results of tcpdump for port 80 (tcpdump -i rl0 port 80)
08:45:56.334523 192.168.1.2.iad2 > 64-131-171-
14.mpls.qwest.net.http: S 1058522411:1058522411(0) win 57344 <mss
1460,nop,wscale 0,nop,nop,timestamp 156902 0> (DF) [tos 0x10]
08:45:56.335860 64-131-171-14.mpls.qwest.net.http >
192.168.1.2.iad2: S 48713728:48713728(0) ack 1058522412 win 16000
<mss 1446>
08:45:56.339497 192.168.1.2.iad2 > 64-131-171-
14.mpls.qwest.net.http: . ack 1 win 57840 (DF) [tos 0x10]
08:45:57.837910 64-131-171-14.mpls.qwest.net.http >
192.168.1.2.iad2: F 1:1(0) ack 1 win 16000
08:45:57.838876 192.168.1.2.iad2 > 64-131-171-
14.mpls.qwest.net.http: . ack 2 win 57840 (DF) [tos 0x10]
08:45:57.839222 192.168.1.2.iad2 > 64-131-171-
14.mpls.qwest.net.http: F 1:1(0) ack 2 win 57840 (DF) [tos 0x10]
08:45:57.840615 64-131-171-14.mpls.qwest.net.http >
192.168.1.2.iad2: FR 48713730:48713730(0) win 0 (DF) [tos 0x10]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?402754EA.22800.187E1419>