Subject: packets not routing?
To: NetBSD Current Users <current-users@netbsd.org>
From: Greywolf <greywolf@starwolf.com>
List: current-users
Date: 05/11/2005 02:36:59
This is bizarre. I cannot route packets. This used to work, and still does
work -- if I use the FAS/HME card (the one with no built-in MAC address).
Hardware: SPARCstation 5, 256MB RAM, FAS/HME card (not in use),
QFE card, hme0-hme3 (hme1 in use).
Following is ifconfig, netstat, sysctl (net), ipf and ipnat information
ifconfig hme0:
hme1: flags=8a63<UP,BROADCAST,NOTRAILERS,RUNNING,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
address: 08:00:20:9a:42:5d
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 168.150.238.233 netmask 0xffffff00 broadcast 168.150.238.255
inet alias 10.21.12.11 netmask 0xffffff00 broadcast 10.21.12.255
inet alias 168.150.238.239 netmask 0xffffff00 broadcast 168.150.238.255
inet alias 168.150.238.245 netmask 0xffffff00 broadcast 168.150.238.255
inet6 fe80::a00:20ff:fe9a:425d%hme1 prefixlen 64 scopeid 0x3
netstat -rnf inet:
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 168.150.238.1 UGS 3 1637 - hme1
10.21.12/24 link#3 UC 3 0 - hme1
10.21.12.11 08:00:20:9a:42:5d UHLc 2 10 - lo0
10.21.12.217 02:a0:c9:8a:bf:b7 UHLc 5 2420 - hme1
10.21.12.255 link#3 UHLc 2 136 - hme1
127/8 127.0.0.1 UGRS 0 0 33196 lo0
127.0.0.1 127.0.0.1 UH 5 2052 33196 lo0
168.150.238/24 link#3 UC 3 0 - hme1
168.150.238.1 00:02:3b:02:2f:59 UHLc 1 105 - hme1
168.150.238.233 08:00:20:9a:42:5d UHLc 1 50 - lo0
168.150.238.255 link#3 UHLc 4 136 - hme1
sysctl net.inet:
net.inet.ip.forwarding = 1
net.inet.ip.redirect = 1
net.inet.ip.ttl = 64
net.inet.ip.forwsrcrt = 1
net.inet.ip.directed-broadcast = 1
net.inet.ip.allowsrcrt = 1
net.inet.ip.subnetsarelocal = 0
net.inet.ip.mtudisc = 1
net.inet.ip.anonportmin = 32768
net.inet.ip.anonportmax = 65535
net.inet.ip.mtudisctimeout = 600
net.inet.ip.hostzerobroadcast = 1
net.inet.ip.gifttl = 30
net.inet.ip.lowportmin = 600
net.inet.ip.lowportmax = 1023
net.inet.ip.maxfragpackets = 200
net.inet.ip.checkinterface = 1
net.inet.ip.ifq.len = 0
net.inet.ip.ifq.maxlen = 50
net.inet.ip.ifq.drops = 0
net.inet.ip.random_id = 0
net.inet.icmp.maskrepl = 0
net.inet.icmp.returndatabytes = 8
net.inet.icmp.errppslimit = 100
net.inet.icmp.rediraccept = 1
net.inet.icmp.redirtimeout = 600
net.inet.tcp.rfc1323 = 1
net.inet.tcp.sendspace = 32768
net.inet.tcp.recvspace = 32768
net.inet.tcp.mssdflt = 512
net.inet.tcp.syn_cache_limit = 10255
net.inet.tcp.syn_bucket_limit = 105
net.inet.tcp.init_win = 0
net.inet.tcp.mss_ifmtu = 0
net.inet.tcp.sack = 1
net.inet.tcp.win_scale = 1
net.inet.tcp.timestamps = 1
net.inet.tcp.compat_42 = 0
net.inet.tcp.cwm = 0
net.inet.tcp.cwm_burstsize = 4
net.inet.tcp.ack_on_push = 0
net.inet.tcp.keepidle = 14400
net.inet.tcp.keepintvl = 150
net.inet.tcp.keepcnt = 8
net.inet.tcp.slowhz = 2
net.inet.tcp.newreno = 1
net.inet.tcp.log_refused = 0
net.inet.tcp.rstppslimit = 100
net.inet.tcp.delack_ticks = 20
net.inet.tcp.init_win_local = 4
net.inet.udp.checksum = 1
net.inet.udp.sendspace = 9216
net.inet.udp.recvspace = 41600
ipf.conf:
# Notice we do not block outbound traffic on this (yet)
# Okay, ONE interface:
# hme1: 10.21.12/24 (internal)
# 168.150.238.233
# 168.150.238.245
# 168.150.238.239
# block nasties, part I
block in log quick all with short
# default: block everything inbound
block in log on hme1 all head 1
pass out on hme1 all head 2
# Allow Gator VPN through
pass in log quick from 63.197.87.0/24 to 10.21.12.0/24 group 1
pass out log quick from 10.21.12.0/24 to 63.197.87.0/24 group 2
# block nasties, part II
block in log quick from 127.0.0.0/8 to any group 1
block in log quick from any to 127.0.0.0/8 group 1
# but allow our loopback...
pass in quick on lo0 all
pass out quick on lo0 all
################## External networking
# block these networks. They're PITA.
block return-icmp(9) in log quick from 194.73.0.0/16 to any group 1
#12.0.195.178
block return-icmp(9) in log quick from 12.0.195.176/28 to any group 1
# 83.130.215.0 - someplace in israel
block return-icmp(9) in log quick from 83.130.215.0/24 to any group 1
#66.159.223.23 - hm, this could be mike.
#66.41.173.116 - attbi/comcast...?
block return-icmp(9) in log quick from 66.41.173.112/29 to any group 1
#66.54.92.23
block return-icmp(9) in log quick from 66.54.92.0/24 to any group 1
#68.75.76.27
block return-icmp(9) in log quick from 68.75.76.32/29 to any group 1
#69.60.100.112
block return-icmp(9) in log quick from 69.60.100.112/29 to any group 1
#69.8.164.131 - meditay? WTF?
block return-icmp(9) in log quick from 69.8.164.128/27 to any group 1
#115.78.129.84 - IANA reserved block?
block return-icmp(9) in log quick from 115.78.129.0/24 to any group 1
#200.60.183.66 - Lima, Peru. Bye Bye.
block return-icmp(9) in log quick from 200.60.183.0/25 to any group 1
#24.161.247.241 tampabay.rr.com
block return-icmp(9) in log quick from 24.161.247.241/24 to any group 1
### Now that we have THAT out of the way....
##### INTERNAL
# Allow everything to/from a 10.21.12 address, and anything on our systems
pass in quick from 10.21.12.0/24 to 10.21.12.0/24 group 1
# INTERNAL TO EXTERNAL PERMISSIONS
pass in from 10.21.12.0/24 to any
# ...but:
# INTERNAL MACHINES CANNOT CONNECT TO EXTERNAL SMTP!!
block out log quick proto tcp from 10.21.12.0/24 to any port = 25 group 2
##### DMZ
# Allow anyone to connect to lothlorien's smtp, ssh, ftp, ftp-data...
pass in proto tcp from any to lothlorien port = smtp group 1
pass in proto tcp from any to lothlorien port = ssh group 1
pass in proto tcp from any to lothlorien port = ftp group 1
pass in proto tcp from any to lothlorien port = ftp-data group 1
pass in proto tcp from any to lothlorien port = http group 1
pass in proto tcp from any to lothlorien port = https group 1
# ...and to connect to ANY domain server.
pass in proto tcp/udp from any to any port = domain group 1
pass in proto tcp from any to any port = auth group 1
# ...and to connect to pegwitch.org port http/https
pass in proto tcp from any to www.pegwitch.org port = http group 1
pass in proto tcp from any to www.pegwitch.org port = https group 1
pass in quick proto icmp from any to any group 1
pass in quick proto tcp/udp from any to any port > 1023 group 1
# allow pop from 69.107.0.0 for Sandi
pass in log proto tcp/udp from 69.107.0.0/16 to lothlorien port = pop3 group 1
# ...but block NFS...
block in log proto tcp/udp from any to lothlorien port = nfs group 1
# ...but block X (6000)...
block in log proto tcp from any to any port = X11 group 1
# ...and the X font server (7100)...
block in log proto tcp from any to any port = 7100 group 1
ipnat.conf:
#### Following mapping AROUND 10.21.12.11
#map-block hme1 10.21.12.1/32 -> 168.150.238.245/32 ports auto
#map-block hme1 10.21.12.3/32 -> 168.150.238.245/32 ports auto
#map-block hme1 10.21.12.4/30 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.0/29 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.8/31 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.10/32 -> 168.150.238.245/32 ports auto
### 10.21.12.11 is right here!
map-block hme1 10.21.12.12/30 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.16/28 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.32/27 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.64/26 -> 168.150.238.245/32 ports auto
map-block hme1 10.21.12.128/25 -> 168.150.238.245/32 ports auto
#
--*greywolf;
--