My network looks like this: +----------+ +------+ +---------+ +----------+ | Internet | <-> | Tiny | <-> | linksys | <-> | Behemoth | +----------+ +------+ +---------+ +----------+ \ (WiFi) \ +---------+ | various | +---------+
Tiny is my firewall, and it forwards all ssh and http traffic to Behemoth. I also forward port 3389 to one of the clients on the wireless network. I can get into the remote desktop on my machine running XP and ssh to behemoth from there, but can't from the outside. Once I am logged into Behemoth, I can't ping anything on the outside. If I try to ping my default gateway, 192.168.2.1, I get "Ping: Sendto: Host is down" If I try to ping anything else, I get "Ping: Sendto: No route to host" [EMAIL PROTECTED] ~]$ ifconfig dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 192.168.2.10 netmask 0xffffff00 broadcast 192.168.2.255 ether 00:0c:41:e2:ae:75 media: Ethernet autoselect (100baseTX <full-duplex>) status: active plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500 pflog0: flags=0<> mtu 33208 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 [EMAIL PROTECTED] ~]$ netstat -rn Routing tables Ineternet: Destination Gateway Flags Refs Use Netif Expire default 192.168.2.1 UGS 0 447 dc0 127.0.0.1 127.0.0.1 UH 0 604 lo0 192.168.2 link#1 UC 0 0 dc0 192.168.2.1 link#1 UHLW 2 2 dc0 192.168.2.10 00:0c:41:e2:ae:75 UHLW 1 10 lo0 168.168.2.100 00:12:17:6a:32:7e UHLW 1 2239 dc0 623 [EMAIL PROTECTED] ~]$ ping google.com ping: cannot resolve google.com: Host name lookup failure [EMAIL PROTECTED] ~]$ ping 64.233.167.99 PING 64.233.167.99 (64.233.167.99): 56 data bytes ping: sendto: No route to host ping: sendto: No route to host ^C --- 64.233.167.99 ping statistics --- 2 packets transmitted, 0 packets recieved, 100% packet loss The weird thing is that I'm logged into this box over ssh. I shouldn't be able to connect to the box if there's something wrong with the routing, correct? I have already tried setting the mtu to 1400 with no result and rebooting, also with no result, but I'm really not sure where to go from here. Any help on this would be much appreciated. I've attached my pf.conf, but it hasn't changed in a few weeks and this just started happening a couple days ago. It coincided with me adding my new Wii to the wireless network, but I can't see how that could've messed up the routing on Behemoth. -- -- I'm nerdy in the extreme and whiter than sour cream
# Macro definitions ext_if = "dc0" # replace with actual external interface name i.e., dc0 int_if = "dc1" # replace with actual internal interface name i.e., dc1 local_net = "192.168.0.0/16" # IP addresses used internally table <bruteforce> persist file "/var/db/ssh-bruteforce" # Table of IP addresses blocked by bruteforce set skip on lo0 scrub all # Scrub Everything altq on $ext_if bandwidth 250Kb priq queue { tcp_ack, dns, ssh_fast, lan, http, ssh_bulk, torrent } # outgoing queues for prioritzation queue tcp_ack priority 7 priq # Queue for Tcp ack packets - low volume, high speed queue dns priority 6 priq # queue for dns queries and responses queue ssh_fast priority 4 priq # interactive ssh traffic queue lan priority 3 priq(default) # queue for lan clients queue http priority 2 priq # queue for http traffic queue ssh_bulk priority 1 priq # Queue for bulk (sftp, scp) ssh traffic queue torrent priority 0 qlimit 100 # The torrent queue nat on $ext_if from $local_net -> ($ext_if) # nat localnet's packets to the firewall's external interface rdr on $ext_if proto tcp from any to any port { 22, 80 } -> 192.168.2.10 rdr on $int_if proto tcp from $local_net to ($int_if) port 22 -> 192.168.1.1 rdr on $int_if proto tcp from any to ($ext_if) port { 80, 3150, 49160:49300 } -> 192.168.2.10 rdr on $ext_if proto tcp from any to any port { 32459, 4662 } -> 192.168.2.100 rdr on $ext_if proto udp from any to any port 4672 -> 192.168.2.100 rdr on $ext_if proto { tcp, udp } from any to any port 3389 -> 192.168.2.100 block log all # Default block rule block in log quick proto tcp from <bruteforce> to any port { 22, 80 } # Antispoof rules antispoof for $ext_if # General Rules pass in log quick on $ext_if inet proto tcp from any to any port 22 \ flags S/SA keep state queue (ssh_bulk, ssh_fast) # pass in ssh logins pass in log quick on $ext_if inet proto tcp from any to any port { 80, 3150 } \ flags S/SA keep state queue http # pass in http traffic pass log inet proto { tcp, udp } from any to 192.168.2.100 port 3389 flags S/SA keep state queue ssh_fast # RDP pass log inet proto tcp from any port 3150 to 192.168.2.10 keep state # fluxd-inet pass log inet proto tcp from any to ($ext_if) port 3128 keep state # external clients using the proxy # Pass anything from the localnet out pass in log on $int_if from any to any keep state # torrent stuff pass log inet proto { tcp, udp } from any to any port { 4662, 4672, 32459 } keep state queue torrent #utorrent pass log proto { tcp, udp } from any to 192.168.2.10 port 49160:49300 keep state queue torrent #TF pass log proto { tcp, udp } from 192.168.2.10 port 49160:49300 to any keep state queue torrent #TF # Pass traffic origniating from the firewall out pass out log on $ext_if from ($ext_if) to any keep state pass out log on $int_if from any to $local_net keep state # TCP ACK packets pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA keep state queue (lan, tcp_ack) # DNS queries that get passed out. Note that we run named in a caching manner. pass out on $ext_if inet proto { tcp, udp } from ($ext_if) to any port domain keep state #queue dns pass in on $int_if inet proto { tcp, udp } from $local_net to ($int_if) port domain keep state # End of Ruleset
_______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"