Re: Where did I go wrong?

Sun, 21 Jan 2007 11:41:19 -0800

I only have short windows of opportunity to put this into production. I am getting very limited traffic through it all originating from my internal networks such as SSH to this server or HTTP through it into a LAN host.
Now that things are beginning to work, could someone help me understand what rules I have created that need to be fixed? For example, why can my LAN hosts not browse Internet site? 

Here is the ipfilter.log extract.
++++

Jan 19 10:15:43 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:15:42.832991 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 19 10:16:46 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:16:46.832944 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 19 10:17:51 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:17:50.833462 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 19 10:18:55 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:18:54.832876 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 19 10:19:59 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:19:58.832833 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 19 10:21:03 Osiris ipmon[4613]: [ID 702911 local0.warning] 
10:21:02.832790 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 12:46:44 Osiris ipmon[153]: [ID 702911 local0.warning] 
12:46:44.389366 hme0 @0:16 b 66.61.21.243,3589 -> 68.16.185.130,1026 PR 
udp len 20 758 IN
Jan 21 12:58:21 Osiris ipmon[153]: [ID 702911 local0.warning] 
12:58:21.344312 hme0 @0:16 b 24.64.181.59,12178 -> 68.16.185.130,1026 PR 
udp len 20 508 IN
Jan 21 12:58:21 Osiris ipmon[153]: [ID 702911 local0.warning] 
12:58:21.344379 hme0 @0:16 b 24.64.181.59,12178 -> 68.16.185.130,1027 PR 
udp len 20 508 IN
Jan 21 12:58:21 Osiris ipmon[153]: [ID 702911 local0.warning] 
12:58:21.345930 hme0 @0:16 b 24.64.181.59,12178 -> 68.16.185.130,1028 PR 
udp len 20 508 IN
Jan 21 13:00:01 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:00:01.202068 hme0 @0:16 b 125.253.35.71,2772 -> 68.16.185.130,5900 PR 
tcp len 20 64 -S IN
Jan 21 13:00:04 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:00:03.552921 hme0 @0:16 b 125.253.35.71,2772 -> 68.16.185.130,5900 PR 
tcp len 20 64 -S IN
Jan 21 13:00:23 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:00:22.758971 hme0 @0:16 b 24.64.58.174,10720 -> 68.16.185.130,1028 PR 
udp len 20 512 IN
Jan 21 13:15:35 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:15:35.167482 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:16:39 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:16:39.165699 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:17:43 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:17:43.165703 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:18:47 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:18:47.165732 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:18:52 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:18:52.353920 hme0 @0:16 b 24.190.131.201,26369 -> 68.16.185.130,1026 
PR udp len 20 674 IN
Jan 21 13:19:51 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:19:51.165788 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:20:38 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:20:37.110411 hme0 @0:16 b 24.64.195.197,23203 -> 68.16.185.130,1028 
PR udp len 20 508 IN
Jan 21 13:20:55 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:20:55.165903 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:21:59 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:21:59.165972 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:23:02 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:23:02.300268 hme0 @0:16 b 24.64.241.24,15980 -> 68.16.185.130,1026 PR 
udp len 20 512 IN
Jan 21 13:23:03 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:23:03.166177 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:24:07 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:24:07.166253 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:25:12 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:25:11.166384 hme0 @0:13 b 68.16.185.130,123 -> 224.0.1.1,123 PR udp 
len 20 76 OUT
Jan 21 13:26:43 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:26:42.487151 hme0 @0:16 b 202.54.213.46,4918 -> 68.16.185.130,1433 PR 
tcp len 20 48 -S IN
Jan 21 13:26:46 Osiris ipmon[153]: [ID 702911 local0.warning] 
13:26:45.502702 hme0 @0:16 b 202.54.213.46,4918 -> 68.16.185.130,1433 PR 
tcp len 20 48 -S IN

++++


I am not sure what I am doing wrong yet in my rules. An excerpt is 
included next.


++++
# ipfstat -io
log level local7.debug out on qfe0 all
log level local7.debug out on qfe2 all
log level local7.debug out on hme0 all
block out log quick on hme0 from any to 192.168.0.0/16
block out log quick on hme0 from any to 172.16.0.0/12
block out log quick on hme0 from any to 10.0.0.0/8
block out log quick on hme0 from any to 127.0.0.0/8
block out log quick on hme0 from any to 0.0.0.0/8
block out log quick on hme0 from any to 169.254.0.0/16
block out log quick on hme0 from any to 192.0.2.0/24
block out log quick on hme0 from any to 204.152.64.0/23
block out log quick on hme0 from any to 224.0.0.0/3
pass out quick on qfe0 all
pass out quick on qfe2 all
pass out quick on lo0 all

pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to any 
port = smtp keep state
pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain to any 
port = domain keep state
pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain to any 
port = domain
pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port = ntp to 
any port = ntp

pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep state
pass out quick on hme0 proto udp from 172.16.0.0/12 to any
pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep state
log level local7.debug in on qfe0 all
log level local7.debug in on qfe2 all
log level local7.debug in on hme0 all
block in all
block in log quick on hme0 from 192.168.0.0/16 to any
block in log quick on hme0 from 172.16.0.0/12 to any
block in log quick on hme0 from 10.0.0.0/8 to any
block in log quick on hme0 from 127.0.0.0/8 to any
block in log quick on hme0 from 0.0.0.0/8 to any
block in log quick on hme0 from 169.254.0.0/16 to any
block in log quick on hme0 from 192.0.2.0/24 to any
block in log quick on hme0 from 204.152.64.0/23 to any
block in log quick on hme0 from 224.0.0.0/3 to any
block in quick on hme0 proto tcp from any port = 113 to any
block in log quick from any to any with short
block in log quick on hme0 from any to 68.16.185.28/27
block in log quick on hme0 proto icmp from any to any
block in log quick on hme0 proto tcp from any to any port = telnet
block in log quick on hme0 proto tcp/udp from any to any port = sunrpc
block in log quick on hme0 proto tcp from any to any port = login
block in log quick on hme0 proto tcp/udp from any to any port = 514
block in log quick on hme0 proto tcp from any to any port = printer
block in log quick on hme0 proto tcp from any to any port = 1214
block in log quick on hme0 proto tcp/udp from any to any port = nfsd
block in log quick on hme0 proto tcp from any to any port = 4661
block in log quick on hme0 proto tcp from any to any port = 4662
block in log quick on hme0 proto udp from any to any port = 4665
block in log quick on hme0 proto tcp from any to any port = 5190
block in log quick on hme0 proto udp from any to any port = 4000
block in log quick on hme0 proto tcp from any to any port = 6000
block in log quick on hme0 proto udp from any to any port = 8998
pass in quick on qfe0 from any to any
pass in quick on qfe2 from any to any
pass in quick on lo0 all

pass in quick on hme0 proto tcp from any port = smtp to 68.16.185.34/32 
port = smtp keep state
pass in quick on hme0 proto udp from any port = domain to 
68.16.185.34/32 port = domain keep state
pass in quick on hme0 proto udp from any port = domain to 
68.16.185.34/32 port = domain
pass in quick on hme0 proto tcp from any port = ntp to 68.16.185.34/32 
port = ntp keep state


# ipnat -slv
mapped  in      0       out     0
added   0       expired 0
no memory       0       bad nat 0
inuse   0
rules   44
wilds   0
table ffffffff7ffffba0 list 30002026340
List of active MAP/Redirect filters:
map hme0 192.168.200.40/32 -> 68.16.185.33/32
map hme0 68.16.185.133/32 -> 192.168.200.40/32
map hme0 192.168.200.59/32 -> 68.16.185.34/32
map hme0 68.16.185.134/32 -> 192.168.200.59/32
++++

I appreciate anyone's assistance here.



Phil Dibowitz wrote:

On Wed, Jan 17, 2007 at 01:12:52PM -0500, mdpeters wrote:


I am getting syslogging messages now. I have to wait until the evening 
to test it live again.



Do the other rules look fine to you? I am used to other products like 
Checkpoint. If there is a cleaner way I would like to hear about it.



NAT hosts are in various networks internally. I might have one in the 
DMZ right off one ipfilter interface while another host sits on the LAN.


Thanks for the logging tip. The obvious right?



I haven't looked over your rules in depth... I'd rather not take the time to
analyze them when your logs will tell you exactly what rule is causing the
problems.

Besides - you're not getting to the rules yet - pfil isn't even loaded.























					Reply via email to