Can someone please explain to me what I am doing wrong here. If I
specify a specific host address (for e1000g0 or disable IP Filter) I
can SSH out of the global zone, but if I use the default host address
specification 0/32, I can't. The configuration that I am working on
is based upon this diagram (if you are interested):
http://www.flickr.com/photos/gbrunett/3237220412/
Any feedback would be appreciated!
Thanks in advance,
Glenn
************************************************************
*** Here are the interfaces:
************************************************************
isc...@isc-model-1:~$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0:
flags=201104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,CoS> mtu
1500 index 2
inet 192.168.2.6 netmask ffffff00 broadcast 192.168.2.255
global_int_0:
flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000
index 3
inet 192.168.0.254 netmask ffffff00 broadcast 192.168.0.255
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu
8252 index 1
inet6 ::1/128
************************************************************
*** Here is the IPF configuration:
************************************************************
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
#
# Allow the global zone to initiate any outbound communications (for now)
#
pass out log quick from 0.0.0.0/32 to any keep state keep frags
#
# Allow DHCP for the global zone.
#
pass in log quick proto udp from any port = 67 to any port = 68 keep state
#
# Allow world to communicate with web zone for TCP 80/443
#
pass in log quick proto tcp from any to 0/32 port = 80 keep state
pass in log quick proto tcp from any to 0/32 port = 443 keep state
#
# Do not allow the zones to talk directly to the global zone
#
block in log quick proto tcp from 192.168.0.0/24 to 192.168.0.254
#
# Allow web zone to be able to communicate out (SSH for now)
#
pass in log quick proto tcp from 192.168.0.100 to any port = ssh keep state
#
block in log all
block in from any to 255.255.255.255/32
block in from any to 127.0.0.1/32
************************************************************
*** Here is the IPNAT configuration (should not matter for
*** this issue, but it is included for completeness):
************************************************************
map e1000g0 192.168.0.100 -> 0/32 portmap tcp/udp auto
map e1000g0 192.168.0.100 -> 0/32
rdr e1000g0 0/32 port 80 -> 192.168.0.100 port 80
rdr e1000g0 0/32 port 443 -> 192.168.0.100 port 443
************************************************************
*** Here is the success example:
************************************************************
isc...@isc-model-1:~$ pfexec vi /etc/ipf/ipf.conf
[set first IPF rule source address to 192.168.2.6/32]
isc...@isc-model-1:~$ pfexec ipf -Fa -f /etc/ipf/ipf.conf
isc...@isc-model-1:~$ ssh 192.168.2.1 -l gbrunett
Password:
Last login: Mon Feb 2 11:28:39 2009 from 192.168.2.6
orion:~ gbrunett$ logout
Connection to 192.168.2.1 closed.
************************************************************
*** Here is the failure example:
************************************************************
isc...@isc-model-1:~$ pfexec vi /etc/ipf/ipf.conf
[set first IPF rule source address to 0.0.0.0/32]
isc...@isc-model-1:~$ pfexec ipf -Fa -f /etc/ipf/ipf.conf
isc...@isc-model-1:~$ ssh 192.168.2.1 -l gbrunett
[just hangs and a snoop trace shows the syn acks are being
received. IPF log shows that IPF is dropping those syn
acks because of the "block in log all" rule (#6).
_______________________________________________
networking-discuss mailing list
[email protected]
