Subject: odd ipf behaviour
To: None <current-users@netbsd.org>
From: Paul Newhouse <newhouse@rockhead.com>
List: current-users
Date: 12/01/1999 09:05:12
Platform i386 running a rather recent current.
I have a multi-homed system. One connection is DSL (de1) and the other is with @home (ne0).
From a remote site, A (204.94.209.1), I can ping both connections and get responses.
From a second remote site, V (204.177.156.26), I can get ping to work on the DSL connection
but, not on the @home connection. On my local system, while pinging from V, I get:
08:39:22.400850 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:23.305682 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:24.274478 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:25.232631 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:26.218652 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:27.160684 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:28.136848 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:29.131743 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:30.058320 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:31.027342 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
08:39:32.001381 demeter.veritas.com > c528574-b.stcla1.sfba.home.com: icmp: echo request
from tcpdump.
The system seems to eat the icmp traffic from V (on ne0 but, not de1) but, not from
A on either interface??? The consumed traffic does not show up on de1 or de0 (LAN), it
just dissapears?
I'd appreciate anyones insight on this?? My netstat -r output and ipf.conf are appended.
TIA,
Paul Newhouse
====== netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 205.219.89.41 UGS 6 903207 1500 de1
24 24.1.4.193 UGS 5 13635 1500 ne0
24.1.4.192/27 link#3 UC 0 0 1500 ne0
24.1.4.193 00:d0:ba:a8:2a:30 UHL 3 0 1500 ne0
24.1.4.223 link#3 UHL 3 664 1500 ne0
63.197.22.8/29 24.1.4.193 UGS 0 80 1500 ne0
63.198.44.110 24.1.4.193 UGHS 0 37 1500 ne0
127.0.0.1 127.0.0.1 UH 15 8742 32976 lo0
172.16.89/24 link#1 UC 0 0 1500 de0
172.16.89.42/32 00:40:05:a0:4e:b2 ULS2 24 9178260 1500 de0
172.16.89.45/32 0.40.5.a0.41.2a ULS2 1 8 1500 lo0
172.16.89.255 link#1 UHL 2 433 1500 de0
172.17/24 172.31.255.1 UGS 0 1131 1500 ppp0
172.31.255.1 172.31.255.2 UH 1 0 1500 ppp0
172.31.255.2 127.0.0.1 UH 0 42 32976 lo0
172.31.255.246 127.0.0.1 UGHS 0 0 32976 lo0 =>
172.31.255.246/32 link#1 UC 0 0 1500 de0
205.219.89.40/29 link#2 UC 0 0 1500 de1
205.219.89.41 00:20:6f:02:fa:bb UHL 1 1391 1500 de1
205.219.89.42 127.0.0.1 UGHS 0 1932 32976 lo0
205.219.89.43 127.0.0.1 UGHS 0 0 32976 lo0
205.219.89.44 00:40:05:42:c3:b8 UHL 0 3643 1500 de1
205.219.89.45 127.0.0.1 UGHS 0 296 32976 lo0
205.219.89.46 00:40:05:42:35:d0 UHL 2 1706130 1500 lo0
205.219.89.47 link#2 UHL 2 672 1500 de1
XNS:
Destination Gateway Flags Refs Use Mtu Interface
ISO:
Destination Gateway Flags Refs Use Mtu Interface
X.25:
Destination Gateway Flags Refs Use Mtu Interface
AppleTalk:
Destination Gateway Flags Refs Use Mtu Interface
Internet6:
Destination Gateway Flags Refs Use Mtu Interface
::1 ::1 UH 0 0 32976 lo0
fe80:1::/64 link#1 UC 0 0 1500 de0
fe80:2::/64 link#2 UC 0 0 1500 de1
fe80:3::/64 link#3 UC 0 0 1500 ne0
fe80:4::/64 fe80:4::1 U 0 0 32976 lo0
fe80:5::/64 fe80:5::240:5ff:fea0:412a U 0 0 1500 ppp0
fe80:5::240:5ff:fea0:412a ::1 UH 0 0 32976 lo0
fe80:21::/64 fe80:21::240:5ff:fea0:412a U 0 0 1280 gif0
fe80:21::240:5ff:fea0:412a ::1 UH 0 0 32976 lo0
fe80:22::/64 fe80:22::240:5ff:fea0:412a U 0 0 1280 gif1
fe80:22::240:5ff:fea0:412a ::1 UH 0 0 32976 lo0
fe80:23::/64 fe80:23::240:5ff:fea0:412a U 0 0 1280 gif2
fe80:23::240:5ff:fea0:412a ::1 UH 0 0 32976 lo0
fe80:24::/64 fe80:24::240:5ff:fea0:412a U 0 0 1280 gif3
fe80:24::240:5ff:fea0:412a ::1 UH 0 0 32976 lo0
ff01::/32 ::1 U 0 0 32976 lo0
ff02:1::/32 link#1 UC 0 0 1500 de0
ff02:2::/32 link#2 UC 0 0 1500 de1
ff02:3::/32 link#3 UC 0 0 1500 ne0
ff02:4::/32 fe80:4::1 UC 0 0 32976 lo0
ff02:5::/32 fe80:5::240:5ff:fea0:412a UC 0 0 1500 ppp0
ff02:21::/32 fe80:21::240:5ff:fea0:412a UC 0 0 1280 gif0
ff02:22::/32 fe80:22::240:5ff:fea0:412a UC 0 0 1280 gif1
ff02:23::/32 fe80:23::240:5ff:fea0:412a UC 0 0 1280 gif2
ff02:24::/32 fe80:24::240:5ff:fea0:412a UC 0 0 1280 gif3
=========================== ipf.conf
#!/usr/sbin/ipf -f -
#
# Given a configuration like:
#
# 206.100.6.73 (ISP) --- 206.100.6.205 (ISP?)
# |
# |
# |
# 206.100.6.74 (FlowPoint WAN side)
# +-----------+
#+--| FlowPoint |
#| +-----------+ rockhead.com wan.vpn
#| (205.216.89.40/29) (172.16.89.40/29)
#| rtr newhouse bigbox
#| 205.219.89.41 <--> 205.219.89.46 +----------------+ 172.16.89.45
#+------------DSL connection----------|de1 de0|------switch
# (Flowpoint LAN side) | | |||
# | | |||
# | NetBSD | +---+|+---+
# c528574-b.stcla1.sfba.home.com| | | | |
# +---------------------------|ne0 | | | |
# | 24.1.4.202 | | | | |
# | | router box | | | |
# | | | | | .44
# | 172.17/16+-------|ppp0 | | .43 glorias-pc
# | | +----------------+ .42 w95
# | | pimin
# | |
# 24.1.4.193 172.31.255.2
# +----------+ +---------+
# | Cable | |Sportster|
# | Modem | | Vi |
# +----------+ +---------+
# | 172.31.255.1
# | |
#
#
#Router box is compiled with option GATEWAY so when you run:
#
# /usr/sbin/sysctl -w net.inet.ip.forwarding
#
#you get:
#
# net.inet.ip.forwarding = 1
#
#/etc/ifconfig.de0:
# inet 172.16.89.45 netmask 255.255.255.248 broadcast 172.16.89.47
#
#/etc/ifconfig.de1:
# inet 205.219.89.46 205.219.89.41 netmask 255.255.255.248 broadcast 205.219.89.47
#
#/etc/ifaliases
# 205.219.89.42 de1 255.255.255.248
# 205.219.89.43 de1 255.255.255.248
# 205.219.89.44 de1 255.255.255.248
# 205.219.89.45 de1 255.255.255.248
# 172.31.255.246 de0 255.255.255.0
#
# Recommended firewalling options:
#
# get rid of all short IP fragments (too small for valid comparison)
#
block in proto tcp all with short
#
# drop any source routing options
#
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
#
# Trust the internal network
#
pass in quick on de0 from any to any
#
# multi-homed routing
#
# muck with outgoing DSL httpd requests which were NAT'd to 172.31.255.246
#
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.41 to any
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.42 to any
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.43 to any
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.44 to any
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.45 to any
pass out log on ne0 to de1 proto tcp/udp from 205.219.89.46 to any
#pass out log quick on ne0 to de1 proto tcp/udp from 205.219.89.46 port = 80 to any
#
# return incoming cable modem connections back out cable modem
#
pass out log quick on de1 to ne0 from 24.1.4.202 to any
#
# Block RFC 1597 illegal addresses from going/coming to the real net
#
block in quick on ne0 from 10.0.0.0/24 to any
block out quick on ne0 from 10.0.0.0/24 to any
#block in quick on ne0 from 172.16.0.0/16 to any
#block out quick on ne0 from 172.16.0.0/16 to any
#block in quick on ne0 from 192.168.0.0/16 to any
#block out quick on ne0 from 192.168.0.0/16 to any
#
block in quick on de1 from 10.0.0.0/24 to any
block out quick on de1 from 10.0.0.0/24 to any
#block in quick on de1 from 172.16.0.0/16 to any
#block out quick on de1 from 172.16.0.0/16 to any
#block in quick on de1 from 192.168.0.0/16 to any
#block out quick on de1 from 192.168.0.0/16 to any
pass out from any to 127.0.0.1/32
pass out on de1 proto udp from any to any port = domain keep state
pass out on ne0 proto udp from any to any port = domain keep state
pass in log quick proto icmp all keep state
#
# pass in ssh connections
#
pass in log on ne0 proto tcp/udp from any to any port = 22 # ssh/scp
pass in log on de1 proto tcp/udp from any to any port = 22 # ssh/scp
#
# block some basic stuff
#
block in log on ne0 proto tcp/udp from any to any port = 19 # chargen
block out log on ne0 proto tcp/udp from any to any port = 19 # chargen
block in log on ne0 proto tcp/udp from any to any port = 21 # ftp
block in log on ne0 proto tcp/udp from any to any port = 23 # telnet
block in log on ne0 proto tcp/udp from any to any port = 79 # finger
block in log on ne0 proto tcp/udp from any to any port = 80 # www ... because at home blocks them anyway
block in log on ne0 proto tcp/udp from any to any port = 110 # pop3 ... because at home blocks them anyway
block out log on ne0 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
block in log on ne0 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
block out log on ne0 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
block in log on ne0 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
block out log on ne0 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
block in log on ne0 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
block in log on ne0 proto tcp/udp from any to any port = 161 # snmp
block in log on ne0 proto tcp/udp from any to any port = 177 # xdmcp
block in log on ne0 proto tcp/udp from any to any port = 512 # exec
block in log on ne0 proto tcp/udp from any to any port = 513 # who
block in log on ne0 proto tcp/udp from any to any port = 514 # shell
block in log on ne0 proto tcp/udp from any to any port = 515 # syslog
block out log on ne0 proto tcp/udp from any to any port = 520 # timed
block in log on ne0 proto tcp/udp from any to any port = 525 # timed
block out log on ne0 proto tcp/udp from any to any port = 525 # timed
block in log on ne0 proto tcp/udp from any to any port = 540 # uucp
block in log on ne0 proto tcp/udp from any to any port = 556 # remotefs
block in log on ne0 proto tcp/udp from any to any port = 2049 # nfs
block in log on ne0 proto tcp/udp from any to any port = 6000 # X11 Window system
#
block in log on de1 proto tcp/udp from any to any port = 19 # chargen
block out log on de1 proto tcp/udp from any to any port = 19 # chargen
block in log on de1 proto tcp/udp from any to any port = 21 # ftp
block in log on de1 proto tcp/udp from any to any port = 23 # telnet
block in log on de1 proto tcp/udp from any to any port = 79 # finger
block out log on de1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
block in log on de1 proto tcp/udp from any to any port = 137 # NETBIOS Name Service
block out log on de1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
block in log on de1 proto tcp/udp from any to any port = 138 # NETBIOS Datagram Serive
block out log on de1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
block in log on de1 proto tcp/udp from any to any port = 139 # NETBIOS Session Service
block in log on de1 proto tcp/udp from any to any port = 161 # snmp
block in log on de1 proto tcp/udp from any to any port = 177 # xdmcp
block in log on de1 proto tcp/udp from any to any port = 512 # exec
block in log on de1 proto tcp/udp from any to any port = 513 # who
block in log on de1 proto tcp/udp from any to any port = 514 # shell
block in log on de1 proto tcp/udp from any to any port = 515 # syslog
block in log on de1 proto tcp/udp from any to any port = 525 # timed
block out log on de1 proto tcp/udp from any to any port = 525 # timed
block in log on de1 proto tcp/udp from any to any port = 540 # uucp
block in log on de1 proto tcp/udp from any to any port = 556 # remotefs
block in log on de1 proto tcp/udp from any to any port = 2049 # nfs
block in log on de1 proto tcp/udp from any to any port = 6000 # X11 Window system
#
#
#block return-rst in log proto tcp from any to any flags S/SA
## * return ICMP error packets for invalid UDP packets
#block return-icmp(net-unr) in proto udp all