Totally bizarre problem - cannot connect to openbsd mahcine
Hi all, Well, I emailed the list earlier with another problem, but that has been completely supplanted by this new one. I work for a small department within a larger organization, and we have a fair amount of lattitude - we run our own servers and whatnot. We had a special exception under organization-wide rules which explicitly forbid running a firewall and switch on the network. Apparently, after some personnel changes, that exception was lost, and rather than contact us, the port that our firewall server is connected to was unceremoniously shut off without any prior warning. After going through phone tag with IT, the port has now been turned back on, but I am having a huge problem - I cannot connect to the firewall server via SSH anymore, nor can I connect out from the server to anything else. Curiously enough, however, firewall rules are still working correctly. If I run ifconfig on either of the network adapters, I get the following: dc0: flags: 8943 UP, BROADCAST, RUNNING, PROMISE, SIMPLEX, MULTICAST mtu 1500 address [MAC address here] media: Ethernet autoselect (100baseTX full-duplex) status: active inet6: [inet6 address] dc1 looks more or less the same, only different MAC and inet6 addresses. /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them? I'm sorry if I'm leaving anything out and not asking this in the right place, but I am in minor panic mode at the moment. Thanks, Matt
Re: Totally bizarre problem - cannot connect to openbsd mahcine
I believe the server was configured as a bridge - bridgename.bridge0 exists, and contains: add dc0 add dc1 up It was running for a good 300 days or so. It was set up and configured by my predecessor, and I am not completely sure on all of its configurations. On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them?
Re: Totally bizarre problem - cannot connect to openbsd mahcine
You should be able to configure one of the bridged interfaces to have an IP in order for you to SSH into the box. http://www.openbsd.org/faq/faq6.html#Bridge On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I believe the server was configured as a bridge - bridgename.bridge0 exists, and contains: add dc0 add dc1 up It was running for a good 300 days or so. It was set up and configured by my predecessor, and I am not completely sure on all of its configurations. On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them?
Re: Totally bizarre problem - cannot connect to openbsd mahcine
On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them? Hello, I was running a DEC Alpha firewall, just as a firewall for my internal network. I created the pf.conf as on the OpenBSD small office example without a problem. A problem I had was to make sure you have your arp address on the firewall from the clients connecting. Another thing I had was when the firewall went down due to power failure the pf.conf would not run. I went to a backup pf.conf and it would work. I don't know why this would happen but it did. I guess have a backup pf.conf on the firewall and probably backed up to another machine. Also have physical access to the firewall if you are unable to connect remotely. Also check other network conf files like resolv.conf Hope this give you some assistance. rogern John 3:16
Re: Totally bizarre problem - cannot connect to openbsd mahcine
Okay, I think I understand what you are saying - one of the interfaces has to have an IP in order to connect into it. My questions is, which one of the two should it be, and what should it be? I assume not the same IP as the bridge itself? On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: You should be able to configure one of the bridged interfaces to have an IP in order for you to SSH into the box. http://www.openbsd.org/faq/faq6.html#Bridge On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I believe the server was configured as a bridge - bridgename.bridge0 exists, and contains: add dc0 add dc1 up It was running for a good 300 days or so. It was set up and configured by my predecessor, and I am not completely sure on all of its configurations. On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them?
Re: Totally bizarre problem - cannot connect to openbsd mahcine
Argh, things have gone from bad to worse. So I rebooted the machine on a whim, thinking that maybe the network debacle from earlier could be cleared up by a simple reboot. No go. And now, if pf is enabled, no traffic can flow anywhere. If it's disabled, the machine acts simply as a bridge. I am obviously in over my head here. I have not used OpenBSD extensively in the past. I have used FreeBSD and ipfw, so I am familiar with the general concepts of *nix systems and firewalls. All I want if for traffic to flow from the outside world to the switch and servers beyond accoridng to the rules laid out in pf, and to be able to access the machine via ssh. Whether or not it is configured as a bridge is not important to me. Can anyone hold my hand on how to effectively bring this about, or point me to a simple guide to configuring a basic firewall with OpenBSD? Thanks again for all the help today. On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: Okay, I think I understand what you are saying - one of the interfaces has to have an IP in order to connect into it. My questions is, which one of the two should it be, and what should it be? I assume not the same IP as the bridge itself? On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: You should be able to configure one of the bridged interfaces to have an IP in order for you to SSH into the box. http://www.openbsd.org/faq/faq6.html#Bridge On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: I believe the server was configured as a bridge - bridgename.bridge0 exists, and contains: add dc0 add dc1 up It was running for a good 300 days or so. It was set up and configured by my predecessor, and I am not completely sure on all of its configurations. On 6/26/06, Peter Blair [EMAIL PROTECTED] wrote: That sorta makes sense if your firewall was working as a bridge, but I don't think that you mentioned anything about a bridgename.bridge0. Was/Is your machine acting as a nat-style firewall? If so, then you'll have to assign it some IPs. How long was it running since its last reboot? Were the IP settings done manually via the console but never reflected in the /etc/hotname.dc* files? On 6/26/06, Matt Singerman [EMAIL PROTECTED] wrote: /etc/hostname.dc0 and .dc1 both just contain up and haven't been modified since 2003. Shouldn't there be an inet entry with the IP addresses for each of the cards listed? What happened to them?
Re: Totally bizarre problem - cannot connect to openbsd mahcine
On Jun 26, 2006, at 3:07 PM, Matt Singerman wrote: . I am obviously in over my head here. This may be too obvious, but have you gone through the pf faq? It has an example ruleset. http://www.openbsd.org/faq/pf/ Mike
Re: Totally bizarre problem - cannot connect to openbsd mahcine
On Mon, Jun 26, 2006 at 03:07:04PM -0400, Matt Singerman wrote: Argh, things have gone from bad to worse. So I rebooted the machine on a whim, thinking that maybe the network debacle from earlier could be cleared up by a simple reboot. No go. And now, if pf is enabled, no traffic can flow anywhere. If it's disabled, the machine acts simply as a bridge. I am obviously in over my head here. I have not used OpenBSD extensively in the past. I have used FreeBSD and ipfw, so I am familiar with the general concepts of *nix systems and firewalls. All I want if for traffic to flow from the outside world to the switch and servers beyond accoridng to the rules laid out in pf, and to be able to access the machine via ssh. Whether or not it is configured as a bridge is not important to me. Can anyone hold my hand on how to effectively bring this about, or point me to a simple guide to configuring a basic firewall with OpenBSD? Thanks again for all the help today. Probably the easiest thing would be to rename your exising config files for later reference, then start from scratch with very simple configs. Read these... http://www.openbsd.org/faq/ specifically http://www.openbsd.org/faq/faq6.html#Bridge http://www.openbsd.org/faq/pf/ (at the end are some example rulesets to get you started) Once you have basic functionality, then you can begin going over the old configs. Understand what the old configs were trying to accomplish, add parts back in where appropriate. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Totally bizarre problem - cannot connect to openbsd mahcine
At 03:07 PM 6/26/2006 -0400, Matt Singerman wrote: Argh, things have gone from bad to worse. So I rebooted the machine on a whim, thinking that maybe the network debacle from earlier could be cleared up by a simple reboot. No go. And now, if pf is enabled, no traffic can flow anywhere. If it's disabled, the machine acts simply as a bridge. I am obviously in over my head here. I have not used OpenBSD extensively in the past. I have used FreeBSD and ipfw, so I am familiar with the general concepts of *nix systems and firewalls. All I want if for traffic to flow from the outside world to the switch and servers beyond accoridng to the rules laid out in pf, and to be able to access the machine via ssh. Whether or not it is configured as a bridge is not important to me. Can anyone hold my hand on how to effectively bring this about, or point me to a simple guide to configuring a basic firewall with OpenBSD? Thanks again for all the help today. http://www.openbsd.org/faq/faq6.html Starting points: http://marc.theaimsgroup.com http://marc.theaimsgroup.com/?l=openbsd-miscm=114345514930017w=2 http://www.countersiege.com/doc/pfsync-carp/ http://www.unix-tutorials.com/go.php?id=280 Lee
