Subject: Problems with ipf on current
To: None <current-users@mail.netbsd.org>
From: Paul Newhouse <newhouse@totalarchive.com>
List: current-users
Date: 06/20/2000 23:37:07
Platform i386
The following rules used to direct traffic that comes in on tlp1 back out on
tlp1 (actually it worked when tlp1 was de1). With a recent current this
doesn't work.
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.40 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.41 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.42 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.43 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.44 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.45 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.46 to any
or
pass out log quick on ne0 to tlp1 from 209.128.91.40 to any
pass out log quick on ne0 to tlp1 from 209.128.91.41 to any
pass out log quick on ne0 to tlp1 from 209.128.91.42 to any
pass out log quick on ne0 to tlp1 from 209.128.91.43 to any
pass out log quick on ne0 to tlp1 from 209.128.91.44 to any
pass out log quick on ne0 to tlp1 from 209.128.91.45 to any
pass out log quick on ne0 to tlp1 from 209.128.91.46 to any
or
pass out log quick on ne0 to tlp1 from 209.128.91.40/29 to any
tlp1 is the default route and the problem address is explicitly routed out ne0.
I did that because I couldn't get the "on tlp1 to ne0" version of the above
rules to work. Once explicitly routed, connections that come in from that host
on ne0 work great BUT, if I ping the tlp1 address from that remote host, the ping
responses return via ne0.
Can this be made to work?
TIA,
Paul
newhouse@rockhead.com
piminx@home.com
Although a bit convoluted my configuration looks like:
# Solaris 2.7
# 209.128.90.114 --- (ISP) 10.129.64.22
# | +-----------+
# | |pppd tunnel|
# | | ssh |
# 209.128.90.113 (FP WAN side) +-----------+
# +-----------+ 10.129.64.23
#+--| FlowPoint | |
#| +-----------+ rockhead.com | wan.vpn
#| (209.128.91.40/29) | (172.16/16)
#| rtr newhouse | bigbox
#| 209.128.91.41 <--> 209.128.91.46 +-------+--------+ 172.16.89.45
#+------------DSL connection----------|tlp1 ppp0 tlp0|------switch
# (FP LAN side) | | ||||
# | | |||+----serial net
# | NetBSD | +---+|+---+
# c484868-a. ... .home.com | -current | | | |
# +---------------------------|ne0 | | | |
# | 24.15.220.14 | | | | |
# | | | | | |
# | | | | | .44
# | | ppp1 | | .43 glorias-pc
# | +-------+--------+ .42 w95
# | +----------------|wan.vpn pimin
# | | |
# 24.15.220.1 172.31.255.2 172.31.255.2
# +----------+ +---------+ +-----------+
# | Cable | |Sportster| |pppd tunnel|
# | Modem | | Vi | | ssh |
# +----------+ +---------+ +-----------+
# | 172.31.255.1 172.31.255.1
# | | |
# +- NetBSD 1.4.1--+
# |
# 172.17/16
#
#
#The NetBSD-current box is compiled with option GATEWAY so running:
#
# /usr/sbin/sysctl -w net.inet.ip.forwarding
#
#returns:
#
# net.inet.ip.forwarding = 1
#
#/etc/ifconfig.tlp0:
# inet 172.16.89.45 netmask 255.255.255.248 broadcast 172.16.89.47
#
#/etc/ifconfig.tlp1:
# inet 209.128.91.46 209.128.91.41 netmask 255.255.255.248 broadcast 209.128.91.47
#
#/etc/ifaliases
# 209.128.91.42 tlp1 255.255.255.248
# 209.128.91.43 tlp1 255.255.255.248
# 209.128.91.44 tlp1 255.255.255.248
# 209.128.91.45 tlp1 255.255.255.248