Re: ipf and ipnat stopped working, no routing between nics.
Hi, I rebooted my machine last night, and everything started working again. But no, I didnt check that. And after I was looking at some sysctls late last night, I did speculate about whether those you mention were right or not. Problem resolved, and thanks for the help :) ps. Sorry I accidentally spammed the list. It didnt seem as if my emails went through at the time. On 3/31/06, Erik Norgaard [EMAIL PROTECTED] wrote: Daniel A. wrote: Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules - Didnt help - cd /etc/rc.d; ./ipfilter restart; ./ipnat restart - Didnt help - Launch ettercap again and exit cleanly after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat forgot how to route between the two interfaces. Could anyone please give some pointers? did you check # sysctl -a |grep forward you should have net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipf and ipnat stopped working, no routing between nics.
(My apologies if you're recieving this email for the third time. It doesnt seem as the previous ones reached the list) Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules - Didnt help - cd /etc/rc.d; ./ipfilter restart; ./ipnat restart - Didnt help - Launch ettercap again and exit cleanly after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat forgot how to route between the two interfaces. Could anyone please give some pointers? Included stuff: _ipf.rules [EMAIL PROTECTED] etc $ cat ipf.rules # Let clients behind the firewall send out to the internet, and replies to # come back in by keeping state. pass out quick on rl0 proto tcp all flags S keep state pass out quick on rl0 proto udp all keep state pass out quick on rl0 proto icmp all keep state # Allow everything on local net pass in quick on sis0 all pass out quick on sis0 all # loopback stuff pass in quick on lo0 all pass out quick on lo0 all # Since nothing should be coming from these address ranges, block them block in quick on rl0 from 192.168.0.0/16 to any block in quick on rl0 from 172.16.0.0/12 to any block in quick on rl0 from 127.0.0.0/8 to any block in quick on rl0 from 10.0.0.0/8 to any block in quick on rl0 from 169.254.0.0/16 to any block in quick on rl0 from 192.0.2.0/24 to any block in quick on rl0 from 204.152.64.0/23 to any block in quick on rl0 from 224.0.0.0/3 to any # Let's let people access the services running behind this system # Let's let people access the services running on this system #pass in quick on rl0 proto tcp from any to any port 3 5 flags S keep state #Passive FTP #pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state #Active FTP #pass in quick on rl0 proto tcp from any to any port = 21 flags S keep state #FTP pass in quick on rl0 proto tcp from any to any port = 22 flags S keep state #SSH pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state #WWW pass in quick on rl0 proto tcp from any to any port = 113 flags S keep state #oidentd pass in quick on rl0 proto udp from any to any port = 123 keep state #ntpd pass in quick on rl0 proto tcp from any to any port = 6697 flags S keep state #ircd, SSL pass in quick on rl0 proto tcp from any to any port = 6667 flags S keep state #ircd, non-SSL #pass in quick on rl0 proto tcp from any to any port = 7029 flags S keep state #irc link pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state # Steam Dedicated Server #pass in quick on rl0 proto udp from any to any port = 1200 # Friends network #pass in quick on rl0 proto udp from any to any port 26999 27016 # Gameport #pass in quick on rl0 proto udp from any to any port = 27020 #pass in quick on rl0 proto tcp from any to any port 27029 27040 #pass in quick on rl0 proto tcp from any to any port = 27015 # SRCDS Rcon # Block everything else block in quick on rl0 _ipf.rules END _ipnat.rules #rdr rl0 0/0 port 9541 - 192.168.0.2 port 9541 tcp #rdr rl0 0/0 port 9542 - 192.168.0.2 port 9542 udp map rl0 192.168.0.0/29 - 0/32 proxy port 21 ftp/tcp #map rl0 0.0.0.0/0 - 0/32 proxy port 21 ftp/tcp map rl0 192.168.0.0/29 - 0/32 portmap tcp/udp 1025:65000 map rl0 192.168.0.0/29 - 0/32 _ipnat.rules END _ifconfig -a [EMAIL PROTECTED] etc $ ifconfig -a fwe0: flags=108802BROADCAST,SIMPLEX,MULTICAST,NEEDSGIANT mtu 1500 options=8VLAN_MTU ether 02:00:0a:04:69:d1 ch 1 dma -1 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.49.144.133 netmask 0xff80 broadcast 87.49.144.255 ether 00:b0:02:00:27:f3 media: Ethernet
ipf and ipnat stopped working, no routing between nics.
Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules - Didnt help - cd /etc/rc.d; ./ipfilter restart; ./ipnat restart - Didnt help - Launch ettercap again and exit cleanly after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat forgot how to route between the two interfaces. Could anyone please give some pointers? ifconfig Description: Binary data ipf.rules Description: Binary data ipnat.rules Description: Binary data ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipf and ipnat stopped working, no routing between nics.
Daniel A. wrote: Hi, I run a FreeBSD 6.0 at home in my closet. Yesterday, while I was linking IRCd services with a friend of mine, my router completely stopped routing any packets between the internal nic (sis0) and the external nic (rl0). The only thing that I can think of, whoich could have caused this, is that I ran ettercap on the server to diagnose why our servers wouldnt link. I did NOT run any ARP poisoning or DNS spoofing attacks on myself. But I didnt notice if the routing stopped at that point, or later, because I could always connect to my server, and the server could always connect to the internet. The situation is still the same. I have tried to do - ipf -Fa -f /etc/ipf.rules; ipnat -FC -f /etc/ipnat.rules - Didnt help - cd /etc/rc.d; ./ipfilter restart; ./ipnat restart - Didnt help - Launch ettercap again and exit cleanly after telling it to stop sniffing. A tcpdump reveals that, indeed, no packets at all make it from sis0 to rl0. So my conclusion is that ipnat forgot how to route between the two interfaces. Could anyone please give some pointers? did you check # sysctl -a |grep forward you should have net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 0 net.inet6.ip6.forwarding: 0 Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipf and ipnat
Hello all i use FreeBSD stable 4.11 and wish to use ipf i have been using ipfw with type set to open however i have recently been attacked and need to beef up security. I have followed the basic setup that is in the freebsd handbook only differance is i added a few lines here and there to my ruleset. Everything seems to work fine when i have ipfirewall compiled into my kernel. When i remove the ipfirewall options ie IPFIREWALL, IPDIVERT everhting seems to break. Adding IPFILTER to the kernel does not help ethier. what is going on how do i enable ipf and ipnat and disable ipfw and natd. I had ipf working once but now it is broken and so is ipfw i have a broken bsd box please help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Help with IPF and IPNAT
Argh! I've been pulling my hair out trying to get my NAT gateway going. I have two interfaces, one external and internal, servicing a private LAN. From the LAN I can ping the internal interface and the external interface, but I can't get past the ext. interface. For testing my rules are pass in all and pass out all. From the gateway itself I can ping anywhere outside or inside. I have tried loading IPNAT and IPF as loadable kernel modules by adding the following to /etc/rc.conf: gateway_enable=YES network_interfaces=x10 dc0 lo0 ifconfig x10... ifconfig dc0... ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipfilter_program=/sbin/ipf ipfilter_flags= ipnat_enable=YES ipnat_program=/sbin/ipnat ipnat_flags= Each interface is up and running. My default gateway in /etc/rc.conf is the gateway of the external NIC. Can anyone see anything wrong with what I am doing, or something missing? Do I need routed installed and running? I also tried forward_sourceroute=YES, but that didn't seem to help. Thanks, Adam Lofstedt mail2web - Check your email from the web at http://mail2web.com/ . To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Help with IPF and IPNAT
You didn't send any rules for it? Do you tune them? Try to read this about ip filter installation and sturtup-time pulling. http://www.freebsddiary.org/topics.php#ipfilter [EMAIL PROTECTED] wrote: Argh! I've been pulling my hair out trying to get my NAT gateway going. I have two interfaces, one external and internal, servicing a private LAN. From the LAN I can ping the internal interface and the external interface, but I can't get past the ext. interface. For testing my rules are pass in all and pass out all. From the gateway itself I can ping anywhere outside or inside. I have tried loading IPNAT and IPF as loadable kernel modules by adding the following to /etc/rc.conf: gateway_enable=YES network_interfaces=x10 dc0 lo0 ifconfig x10... ifconfig dc0... ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipfilter_program=/sbin/ipf ipfilter_flags= ipnat_enable=YES ipnat_program=/sbin/ipnat ipnat_flags= Each interface is up and running. My default gateway in /etc/rc.conf is the gateway of the external NIC. Can anyone see anything wrong with what I am doing, or something missing? Do I need routed installed and running? I also tried forward_sourceroute=YES, but that didn't seem to help. Thanks, Adam Lofstedt mail2web - Check your email from the web at http://mail2web.com/ . To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- Best regards, Aleksey I. Yurlov [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Help with IPF and IPNAT
On Wed, 25 Dec 2002, [EMAIL PROTECTED] wrote: Argh! I've been pulling my hair out trying to get my NAT gateway going. I have two interfaces, one external and internal, servicing a private LAN. From the LAN I can ping the internal interface and the external interface, but I can't get past the ext. interface. For testing my rules are pass in all and pass out all. From the gateway itself I can ping anywhere outside or inside. I have tried loading IPNAT and IPF as loadable kernel modules by adding the following to /etc/rc.conf: gateway_enable=YES network_interfaces=x10 dc0 lo0 ifconfig x10... ifconfig dc0... ipfilter_enable=YES ipfilter_rules=/etc/ipf.rules ipfilter_program=/sbin/ipf ipfilter_flags= ipnat_enable=YES ipnat_program=/sbin/ipnat ipnat_flags= Each interface is up and running. My default gateway in /etc/rc.conf is the gateway of the external NIC. Can anyone see anything wrong with what I am doing, or something missing? Do I need routed installed and running? I also tried forward_sourceroute=YES, but that didn't seem to help. Thanks, Adam Lofstedt You need a MAP rule in your ipnat.rules file to map the private subnet into your public IP address (that of the gateway). If you don't have this in there, then you are not doing NAT, just packet filtering. man ipnat man 5 ipnat Marco Radzinschi E-Mail: [EMAIL PROTECTED] Wed Dec 25 17:08:12 EST 2002 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
