I have a Tru64 version 5.1A 2 member cluster -- i.e. with the TruCluster
software installed, which I understand is a separate kernel from the
standard Tru64. I built ipfilter 4.1.3 on this system and installed it on
each cluster member -- that is, each member has its own sysconfigtab file
for loading the module. The module loads OK on each member and I get no
errors running ipf, ipfstat and ipmon, but some problems occur when the
filter is running. A bit more about the cluster -- each member
communicates through a direct link - a so-called memory channel
interconnect, which gives each member an internal IP address on the
10.0.0.x network for intermember communication. Each member has its own
IP address and the cluster runs gated and has cluster alias IP addresses,
the routing for which is handled by the gated daemon. I've got 3 standard
network interfaces on each member and so each member actually has 3
"real" IP addresses and there are 3 cluster alias IP addresses (1 alias
for each of my 3 subnets). I have my IP filter configuration allow all
traffic on the internal interfaces: (lo0 - loopback and ics0 - the memory
channel intercommunication) - I also expressly allow all traffic from my
local subnets to my ethernet ports and then selectively block port
traffic. The cluster runs web and mail services. What I notice happening
is that all inbound mail traffic seems to fail and my mail log gets full
of messages like:
Dec 27 09:13:21 keck1 postfix/smtpd[1451577]: connect from
unknown[82.158.5.179]
Dec 27 09:13:41 keck1 postfix/smtpd[1451577]: lost connection after
CONNECT from unknown[82.158.5.179]
Dec 27 09:13:41 keck1 postfix/smtpd[1451577]: disconnect from
unknown[82.158.5.179]
Not a single mail seems to come in. I also have an OpenBSD 3.4 system
on one of my subnets that hangs NFS connections to the cluster when
ipfilter is loaded on the cluster.
I would appreciate any help using IPfilter on my system.
Below is my packet filter rules for the cluster -- ics0 is the cluster
interconnect, tu0, tu1 and tu2 are ethernet interfaces, one for each of my
3 class C networks - lo0 is the loopback:
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on ics0 all
pass out quick on ics0 all
pass out quick on tu0 proto tcp from any to any keep state
pass out quick on tu0 proto udp from any to any keep state
pass out quick on tu0 proto icmp from any to any keep state
pass out quick on tu1 proto tcp from any to any keep state
pass out quick on tu1 proto udp from any to any keep state
pass out quick on tu1 proto icmp from any to any keep state
pass out quick on tu2 proto tcp from any to any keep state
pass out quick on tu2 proto udp from any to any keep state
pass out quick on tu2 proto icmp from any to any keep state
block out log quick on tu0 all
block out log quick on tu1 all
block out log quick on tu2 all
block in log quick on tu0 from 192.168.0.0/16 to any
block in log quick on tu0 from 10.0.0.0/8 to any
block in log quick on tu0 from 172.16.0.0/12 to any
block in quick on tu0 from 0.0.0.0/8 to any
block in log quick on tu0 from 169.254.0.0/16 to any
block in log quick on tu0 from 224.0.0.0/3 to any
block in log quick on tu1 from 192.168.0.0/16 to any
block in log quick on tu1 from 10.0.0.0/8 to any
block in log quick on tu1 from 172.16.0.0/12 to any
block in quick on tu1 from 0.0.0.0/8 to any
block in log quick on tu1 from 169.254.0.0/16 to any
block in log quick on tu1 from 224.0.0.0/3 to any
block in log quick on tu2 from 192.168.0.0/16 to any
block in log quick on tu2 from 10.0.0.0/8 to any
block in log quick on tu2 from 172.16.0.0/12 to any
block in quick on tu2 from 0.0.0.0/8 to any
block in log quick on tu2 from 169.254.0.0/16 to any
block in log quick on tu2 from 224.0.0.0/3 to any
pass in quick on tu0 from 128.218.64.0/24 to any
pass in quick on tu0 from 128.218.65.0/24 to any
pass in quick on tu0 from 128.218.66.0/24 to any
pass in quick on tu1 from 128.218.64.0/24 to any
pass in quick on tu1 from 128.218.65.0/24 to any
pass in quick on tu1 from 128.218.66.0/24 to any
pass in quick on tu2 from 128.218.64.0/24 to any
pass in quick on tu2 from 128.218.65.0/24 to any
pass in quick on tu2 from 128.218.66.0/24 to any
block in log quick on tu0 from any to any port = 445
block in log quick on tu1 from any to any port = 445
block in log quick on tu2 from any to any port = 445
block in log quick proto tcp from any to any port = 23
block in log quick proto udp from any to any port = 1025
block in log quick from any to any port = 111
pass in quick from 128.218.0.0/16 to any
pass in quick from 169.230.0.0/16 to any
pass in quick from 64.54.0.0/16 to any
pass in quick proto tcp from any to any port = 22
pass in quick proto tcp from any to any port = 25
pass in quick proto tcp from any to any port = 21
pass in quick proto tcp from any to any port = 80
pass in quick proto tcp from any to any port = 465
pass in quick proto tcp from any to any port = 110
pass in quick proto tcp from any to any port = 143
pass in quick proto tcp from any to any port = 587
pass in quick proto tcp from any to any port = 993
pass in quick proto tcp from any to any port = 995
pass in quick proto tcp from any to any port = 443
pass in quick proto tcp from any to any port = 8080
block in log on tu0 from any to any
block in log on tu1 from any to any
block in log on tu2 from any to any
