Subject: Serious trouble with IPF
To: None <netbsd-help@netbsd.org>
From: Arto Huusko <arto.huusko@maailma.yok.utu.fi>
List: netbsd-help
Date: 03/08/2001 14:27:31
Warning: This is a message in MIME format. Your mail reader does not
support MIME. Some parts of this message will be readable as plain text.
To see the rest, you will need to upgrade your mail reader. Following are
some URLs where you can find MIME-capable mail programs for common platforms:
Amiga............: YAM http://www.yam.ch/
Unix.............: Metamail ftp://ftp.bellcore.com/nsb/
Windows/Macintosh: Eudora http://www.qualcomm.com/
General info about MIME can be found at:
http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/mime-faq/top.html
--BOUNDARY.141838432.3
Content-Type: text/plain
(This is unrelated to my earlier IPF posting)
There is something extremely weird going on with my firewall
configuration. I am running stock NetBSD/i386 1.5. The trouble
I'm experiencing is this:
I can very well keep on using my computers behind the firewall
(and NAT) all the time. There are no troubles. Direct usage
from the firewall box, or connections to firewall from outside
world, however, are troublesome: works, and then again doesn't.
A perfect example that explains it:
Yesterday I could connect from the university to the firewall
via SSH to read my mail. This morning, from a computer behind
the firewall, I sent some mail that went out without errors,
and I browsed the web nicely.
When I got to university later, and tried to connect to my
firewall box with SSH: no luck. I tried to ping it, which didn't
work (however I could ping the gateway of my firewall, so I
could've thought that my computer was down).
Well, I came home and the firewall wasn't down. I tried to ping
the gateway and other computers. Pinging didn't work. Then I fired
up a web browser on a computer behind the firewall: the connection
was perfect - no trouble at all. Well, from the firewall I did
ping -n <an IP number)
that worked immediately. I issued "ipf -Fa" after which pinging
(and other connections) by name started working magically
from the firewall. I reloaded my ruleset with "ipf -f <ruleset name>":
and the same functionality continued: behind firewall, OK;
inside firewall, not OK.
Then (I have experienced this earlier, so I knew what to do):
ipf -Fa
ipf -Fs
ipf -FS
ipf -f <ruleset name>
And now everything works without trouble. I also connected to
an university machine using SSH and connected back to firewall
using SSH: that worked too.
This all is too strange: is IPF the trouble or is there something
really strange going on with my rulefile (included as an
attachment).
--
Arto Huusko -- WWW: http://maailma.yok.utu.fi/
** Divecalc **
The Diving Software @ http://maailma.yok.utu.fi/Divecalc
--BOUNDARY.141838432.3
Content-Type: text/plain; charset=iso-8859-1; name="ipf.conf"
Content-Disposition: attachment; filename="ipf.conf"
Content-Transfer-Encoding: binary
pass out quick on lo0
pass in quick on lo0
# Let everything travel TO/FROM the jolly home LAN
pass out quick on ne0
pass in quick on ne0
# Block everything, unless specified later
block in log on ne1 from any to 130.232.140.1
block out log on ne1 from 130.232.140.1 to any
#
# Block weird spoofs
#
block in quick on ne1 from 192.168.0.0/16 to any
block in quick on ne1 from 172.16.0.0/12 to any
block in quick on ne1 from 10.0.0.0/8 to any
block in quick on ne1 from 127.0.0.0/8 to any
block in quick on ne1 from 0.0.0.0/8 to any
block in quick on ne1 from 169.254.0.0/16 to any
block in quick on ne1 from 192.0.2.0/24 to any
block in quick on ne1 from 204.152.64.0/23 to any
block in quick on ne1 from 224.0.0.0/3 to any
#
# Allow connections to own services
#
# HTTP/apache
pass in quick on ne1 proto tcp from any to 130.232.140.1 port = 80 flags S keep state
# SSH
pass in quick on ne1 proto tcp from any to 130.232.140.1 port = 22 flags S keep state
pass in quick on ne1 proto udp from any to 130.232.140.1 port = 22 keep state
# Yes, even telnet
pass in quick on ne1 proto tcp from any to 130.232.140.1 port = 23 flags S keep state
# SMTP
pass in quick on ne1 proto tcp from any to 130.232.140.1 port = 25 flags S keep state
# FTP, plus the active dataport
pass in quick on ne1 proto tcp from any to 130.232.140.1 port = 21 flags S keep state
pass in quick on ne1 proto tcp from any to any port = 20 flags S keep state
#pass in quick on ne1 proto tcp from any to any port = 20 flags S keep state
# Napster port, goes through NAT first
pass in quick on ne1 proto tcp from any to any port = 6677 flags S keep state
# ICMP pinging
pass in quick on ne1 proto icmp from any to 130.232.140.1 icmp-type 0 keep state
#
# Outgoing stuff
#
# Deny samba servers from sending anything out
#
block out quick on ne1 proto udp from 130.232.140.1 to any port = 137
block out quick on ne1 proto udp from 130.232.140.1 to any port = 138
block out quick on ne1 proto tcp from 130.232.140.1 to any port = 139
# Deny sunrpc and NFS
block out quick on ne1 proto udp from 130.232.140.1 to any port = 111
block out quick on ne1 proto tcp from 130.232.140.1 to any port = 111
block out quick on ne1 proto udp from 130.232.140.1 to any port = 2049
block out quick on ne1 proto tcp from 130.232.140.1 to any port = 2049
#
# All established TCP connections have a jolly way of working
#
pass out quick on ne1 proto tcp all keep state
pass out quick on ne1 proto udp all keep state
pass out quick on ne1 proto icmp from any to any keep state
--BOUNDARY.141838432.3--