Howdy, I've been beating my head against this for a few days now and I can't see what the solution is:
I've got a SparcStation 20 running NetBSD 2.1 and ipf v4.1.3 as included with the OS. I have a /30 netblock: 4 IP addresses total 2 of which are usable. The firewall/gateway machine currently has 3 configured interfaces: hme0 192.168.0.10 Internal interface. hme2 192.168.2.254 DMZ interface. pppoe0 1.2.3.205 External static IP. There are a number of machines on the internal LAN (192.168.0.0/24) that are being NATed to the IP address of pppoe0 (1.2.3.205). There is a single machine (theta, 192.168.2.1) in the DMZ running HTTP and SMTP servers, which is being bimaped to the second static IP address (1.2.3.206). Traffic appears to flow correctly in all the directions I expect with one exception: it appears to be impossible to fetch data (files/webpages) via HTTP or passive FTP from the box in the DMZ. Inbound traffic to the SMTP/HTTP servers running on the DMZ box work fine - as a server the box is OK. It's as a client the machine has trouble. Other traffic from this box might be wierd too, although I've not yet tested for other problems. No blocked packets are logged. FTP transactions hang once the client has logged in and the progress bar appears and the high/passive port is shown. HTTP stalls after a brief set of packets, for example, here's the output from TCP dump following a request for www.bbc.co.uk using elinks from the machine inside the DMZ: 01:36:08.498127 theta.65115 > arc-dmz.domain: 42447+ AAAA? www.bbc.co.uk. (31) 01:36:08.609735 arc-dmz.domain > theta.65115: 42447 1/0/0 CNAME[|domain] 01:36:08.610236 theta.65114 > arc-dmz.domain: 42448+ A? www.bbc.co.uk. (31) 01:36:08.617784 arc-dmz.domain > theta.65114: 42448 2/13/0 CNAME[|domain] 01:36:08.618597 theta.65338 > www15.thdo.bbc.co.uk.www: S 2796298509:2796298509(0) win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0> (DF) 01:36:08.639985 www15.thdo.bbc.co.uk.www > theta.65338: S 2600870796:2600870796(0) ack 2796298510 win 33304 <nop,nop,timestamp 3573716561 0,mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 01:36:08.640141 theta.65338 > www15.thdo.bbc.co.uk.www: . ack 1 win 33580 <nop,nop,timestamp 0 3573716561> (DF) 01:36:08.641290 theta.65338 > www15.thdo.bbc.co.uk.www: P 1:186(185) ack 1 win 33580 <nop,nop,timestamp 0 3573716561> (DF) 01:36:08.668267 www15.thdo.bbc.co.uk.www > theta.65338: . ack 186 win 33304 <nop,nop,timestamp 3573716564 0> (DF) (FIN sent when elinks is Ctrl-C'ed): 01:37:31.478407 theta.65338 > www15.thdo.bbc.co.uk.www: F 186:186(0) ack 1 win 33580 <nop,nop,timestamp 166 3573716561> (DF) 01:37:31.496926 www15.thdo.bbc.co.uk.www > theta.65338: . ack 187 win 33304 <nop,nop,timestamp 3573724847 166> (DF) I've read the manpage, the HOWTO and Googled for all I'm worth, but I can't see the problem. Can anyone help? Any other comments on how to improve my ruleset would be welcome too. Contents of all the relevant files below: # -------------------------------------------------------------------- Contents of /etc/ipnat: # Support active FTP - must go before portmap rules. map pppoe0 192.168.2.1/32 -> 1.2.3.206/32 proxy port ftp ftp/tcp # Map all tcp and udp connections from 192.168.0.0/24 to external IP address. map pppoe0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto mssclamp 1440 # For all other packets (i.e. ICMP), map to the external IP address map pppoe0 192.168.0.0/24 -> 0/32 mssclamp 1440 # DMZ: map 1.2.3.206 to the www/mail server. bimap pppoe0 192.168.2.1/32 -> 1.2.3.206/32 # -------------------------------------------------------------------- Contents of /etc/ipf.conf: # -------------------------------------------------------------------------------------------------- # Defaults # Drop/log everything inbound by default block in log all # Loopback pass in quick on lo0 pass out quick on lo0 # Internal traffic pass in quick on hme0 # -------------------------------------------------------------------------------------------------- # Inbound onto firewall. # SSH pass in quick on pppoe0 proto tcp from any to 1.2.3.205/32 port = ssh flags S/SA keep state # DNS pass in quick on pppoe0 proto udp from any to 1.2.3.205/32 port = domain keep state pass in quick on pppoe0 proto tcp from any to 1.2.3.205/32 port = domain flags S/SA keep state # -------------------------------------------------------------------------------------------------- # DMZ inbound: HTTP and SMTP - remember, NAT from 1.2.3.206 -> 192.168.2.1 has already occurred. pass in quick on pppoe0 proto tcp from any to 192.168.2.1/32 port = smtp keep state pass in quick on pppoe0 proto tcp from any to 192.168.2.1/32 port = http keep state # -------------------------------------------------------------------------------------------------- # DMZ <-> firewall DMZ interface. # Allow the box(es) in the DMZ to make DNS and NTP queries pass in quick on hme2 proto udp from 192.168.2.0/24 to 192.168.2.254/32 port = domain keep state pass in quick on hme2 proto udp from 192.168.2.0/24 to 192.168.2.254/32 port = ntp keep state pass in quick on hme2 proto tcp from 192.168.2.0/24 to 192.168.2.254/32 port = ntp flags S/SA keep state # -------------------------------------------------------------------------------------------------- # DMZ: outbound # Allow HTTP access out - BROKEN. pass in quick on hme2 proto tcp from 192.168.2.1/32 to ! 192.168.0.0/24 port = http flags S/SA keep state ### BROKEN # Allow FTP access out pass in quick on hme2 proto tcp from 192.168.2.1/32 to any port = ftp flags S/SA keep state pass in quick on hme2 proto tcp from 192.168.2.1/32 to any port > 1024 flags S/SA keep state # -------------------------------------------------------------------------------------------------- # Internal <-> DMZ # Allow access to the boxes in the DMZ from the internal network. pass out quick on hme2 proto tcp from 192.168.0.0/24 to 192.168.2.1/32 flags S/SA keep state # -------------------------------------------------------------------------------------------------- # Outbound pass out quick on pppoe0 proto tcp from any to any keep state pass out quick on pppoe0 proto udp from any to any keep state pass out quick on pppoe0 proto icmp from any to any keep state # -------------------------------------------------------------------------------------------------- # Prevent delays when remote machines try ident/auth. block return-rst in on pppoe proto tcp from any to any port = 113 # -------------------------------------------------------------------- Output from ipf -V: ipf: IP Filter: v4.1.3 (400) Kernel: IP Filter: v4.1.3 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 0 Feature mask: 0x10a -- Barrie J. Bremner list-ipf [at] barriebremner.com http://barriebremner.com/
