Hi,
I see someone's mentioned collecting the log output, you may also
find "iostat -ionh" helpful. The "h" gives the hit rate per rule that
fired,
the blocking ones will tell you what's stopping the packets.
Note however that the line numbering ("n" option) is the entry number
in the IN or OUT filter table (two separate counts), not the lines
in your source file, so you'll have to match the rule text against
your input file.
HTH, rgds, Stuart.
>>> On 17-Jan-07 at 1:51 pm, in message
<[EMAIL PROTECTED]>,
mdpeters <[EMAIL PROTECTED]> wrote:
> I am new to IPFilter. My experience comes from other firewalls. I
have
> what seems like a proper build from following all sorts of example
> documents out there. My problem is that nothing seems to pass through
> the system. I am not sure if it is a NAT issue or rule
misconfiguration
> on my part. If someone could critique an excerpt of what I have and
clue
> me into what I am doing wrong I would certainly appreciate it.
>
> I cut down the rules for simplicity sake. Everything follows:
>
> # uname -a
> SunOS Osiris 5.10 Generic_118833-17 sun4u sparc
SUNW,UltraSPARC-IIi-cEngine
>
> # isainfo -vk
> 64-bit sparcv9 kernel modules
>
> # ifconfig -a
> lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu
> 8232 index 1
> inet 127.0.0.1 netmask ff000000
> hme0: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500
index 2
> inet 68.16.185.30 netmask fffffff0 broadcast 68.16.185.43
> ether 8:0:20:f9:c5:44
> qfe0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu
1500
> index 3
> inet 192.168.200.108 netmask ffffff00 broadcast
192.168.200.255
> ether 8:0:20:f9:c5:44
> qfe2: flags=1100803<UP,BROADCAST,MULTICAST,ROUTER,IPv4> mtu 1500
index 4
> inet 192.168.201.8 netmask ffffff00 broadcast
192.168.201.255
> ether 8:0:20:f9:c5:44
> lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu
> 8252 index 1
> inet6 ::1/128
> hme0: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 2
> inet6 fe80::a00:20ff:fef9:c544/10
> ether 8:0:20:f9:c5:44
> qfe0: flags=2100841<UP,RUNNING,MULTICAST,ROUTER,IPv6> mtu 1500 index
3
> inet6 fe80::a00:20ff:fef9:c544/10
> ether 8:0:20:f9:c5:44
> qfe2: flags=2100801<UP,MULTICAST,ROUTER,IPv6> mtu 1500 index 4
> inet6 fe80::a00:20ff:fef9:c544/10
> ether 8:0:20:f9:c5:44
>
> # netstat -rn
>
> Routing Table: IPv4
> Destination Gateway Flags Ref Use
Interface
> -------------------- -------------------- ----- ----- ------
---------
> 68.16.185.28 68.16.185.30 U 1 0 hme0
> 192.168.200.0 192.168.200.108 U 1 618 qfe0
> 192.168.201.0 192.168.201.8 U 1 0 qfe2
> 192.168.202.0 192.168.200.59 UG 1 0
> 192.168.204.0 192.168.201.169 UG 1 0
> 172.16.0.0 192.168.200.59 UG 1 7
> 224.0.0.0 68.16.185.130 U 1 0 hme0
> default 68.16.185.128 UG 1 0
> 127.0.0.1 127.0.0.1 UH 4 77 lo0
>
> Routing Table: IPv6
> Destination/Mask Gateway Flags Ref
Use If
> --------------------------- --------------------------- ----- ---
------
> -----
> fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
> hme0
> fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
> qfe0
> fe80::/10 fe80::a00:20ff:fef9:c544 U 1
0
> qfe2
> ff00::/8 fe80::a00:20ff:fef9:c544 U 1
0
> hme0
> ::1 ::1 UH 1
14 lo0
>
> # netstat -i
> Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs
Collis
> Queue
> lo0 8232 loopback localhost 209 0 209 0 0
0
> hme0 1500 Osiris Osiris 0 0 0 0 0
0
> qfe0 1500 192.168.200.0 192.168.200.108 265242 0 9572 0 0
0
> qfe2 1500 192.168.201.0 192.168.201.8 0 0 0 0 0
0
>
> Name Mtu Net/Dest Address
Ipkts
> Ierrs Opkts Oerrs Collis
> lo0 8252 localhost localhost
209
> 0 209 0 0
> hme0 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544 0
> 0 0 0 0
> qfe0 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544
> 265252 0 9583 0 0
> qfe2 1500 fe80::a00:20ff:fef9:c544/10 fe80::a00:20ff:fef9:c544 0
> 0 0 0 0
>
> # netstat -s -P ip
>
> IPv4 ipForwarding = 1 ipDefaultTTL = 255
> ipInReceives = 6594 ipInHdrErrors = 0
> ipInAddrErrors = 0 ipInCksumErrs = 0
> ipForwDatagrams = 0 ipForwProhibits = 0
> ipInUnknownProtos = 0 ipInDiscards = 0
> ipInDelivers = 6679 ipOutRequests = 13135
> ipOutDiscards = 0 ipOutNoRoutes = 6
> ipReasmTimeout = 60 ipReasmReqds = 0
> ipReasmOKs = 0 ipReasmFails = 0
> ipReasmDuplicates = 0 ipReasmPartDups = 0
> ipFragOKs = 0 ipFragFails = 0
> ipFragCreates = 0 ipRoutingDiscards = 0
> tcpInErrs = 0 udpNoPorts = 17
> udpInCksumErrs = 0 udpInOverflows = 0
> rawipInOverflows = 0 ipsecInSucceeded = 0
> ipsecInFailed = 0 ipInIPv6 = 0
> ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
>
> # ipf -V
> ipf: IP Filter: v4.0.3 (592)
> Kernel: IP Filter: v4.0.3
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 1
>
> # ipfstat
> bad packets: in 0 out 0
> IPv6 packets: in 0 out 18
> input packets: blocked 0 passed 6618 nomatch 0 counted 0
short 0
> output packets: blocked 6508 passed 6677 nomatch 9 counted 0
short 0
> input packets logged: blocked 0 passed 0
> output packets logged: blocked 6508 passed 0
> packets logged: input 6618 output 13167
> log failures: input 0 output 0
> fragment state(in): kept 0 lost 0
> fragment state(out): kept 0 lost 0
> packet state(in): kept 0 lost 0
> packet state(out): kept 0 lost 0
> ICMP replies: 0 TCP RSTs sent: 0
> Invalid source(in): 0
> Result cache hits(in): 0 (out): 9
> IN Pullups succeeded: 0 failed: 0
> OUT Pullups succeeded: 32 failed: 0
> Fastroute successes: 0 failures: 0
> TCP cksum fails(in): 0 (out): 0
> IPF Ticks: 834285
> Packet log flags set: (0)
> none
>
> # ipfstat -io
> log level local7.debug out on qfe0 all
> log level local7.debug out on qfe2 all
> log level local7.debug out on hme0 all
> block out log quick on hme0 from any to 192.168.0.0/16
> block out log quick on hme0 from any to 172.16.0.0/12
> block out log quick on hme0 from any to 10.0.0.0/8
> block out log quick on hme0 from any to 127.0.0.0/8
> block out log quick on hme0 from any to 0.0.0.0/8
> block out log quick on hme0 from any to 169.254.0.0/16
> block out log quick on hme0 from any to 192.0.2.0/24
> block out log quick on hme0 from any to 204.152.64.0/23
> block out log quick on hme0 from any to 224.0.0.0/3
> pass out quick on qfe0 all
> pass out quick on qfe2 all
> pass out quick on lo0 all
> pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to
any
> port = smtp keep state
> pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain to
any
> port = domain keep state
> pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain to
any
> port = domain
> pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port = ntp
to
> any port = ntp
> pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep
state
> pass out quick on hme0 proto udp from 172.16.0.0/12 to any
> pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep
state
> log level local7.debug in on qfe0 all
> log level local7.debug in on qfe2 all
> log level local7.debug in on hme0 all
> block in all
> block in log quick on hme0 from 192.168.0.0/16 to any
> block in log quick on hme0 from 172.16.0.0/12 to any
> block in log quick on hme0 from 10.0.0.0/8 to any
> block in log quick on hme0 from 127.0.0.0/8 to any
> block in log quick on hme0 from 0.0.0.0/8 to any
> block in log quick on hme0 from 169.254.0.0/16 to any
> block in log quick on hme0 from 192.0.2.0/24 to any
> block in log quick on hme0 from 204.152.64.0/23 to any
> block in log quick on hme0 from 224.0.0.0/3 to any
> block in quick on hme0 proto tcp from any port = 113 to any
> block in log quick from any to any with short
> block in log quick on hme0 from any to 68.16.185.28/27
> block in log quick on hme0 proto icmp from any to any
> block in log quick on hme0 proto tcp from any to any port = telnet
> block in log quick on hme0 proto tcp/udp from any to any port =
sunrpc
> block in log quick on hme0 proto tcp from any to any port = login
> block in log quick on hme0 proto tcp/udp from any to any port = 514
> block in log quick on hme0 proto tcp from any to any port = printer
> block in log quick on hme0 proto tcp from any to any port = 1214
> block in log quick on hme0 proto tcp/udp from any to any port = nfsd
> block in log quick on hme0 proto tcp from any to any port = 4661
> block in log quick on hme0 proto tcp from any to any port = 4662
> block in log quick on hme0 proto udp from any to any port = 4665
> block in log quick on hme0 proto tcp from any to any port = 5190
> block in log quick on hme0 proto udp from any to any port = 4000
> block in log quick on hme0 proto tcp from any to any port = 6000
> block in log quick on hme0 proto udp from any to any port = 8998
> pass in quick on qfe0 from any to any
> pass in quick on qfe2 from any to any
> pass in quick on lo0 all
> pass in quick on hme0 proto tcp from any port = smtp to
68.16.185.34/32
> port = smtp keep state
> pass in quick on hme0 proto udp from any port = domain to
> 68.16.185.34/32 port = domain keep state
> pass in quick on hme0 proto udp from any port = domain to
> 68.16.185.34/32 port = domain
> pass in quick on hme0 proto tcp from any port = ntp to
68.16.185.34/32
> port = ntp keep state
>
> # ipnat -slv
> mapped in 0 out 0
> added 0 expired 0
> no memory 0 bad nat 0
> inuse 0
> rules 44
> wilds 0
> table ffffffff7ffffba0 list 30002026340
> List of active MAP/Redirect filters:
> map hme0 192.168.200.40/32 -> 68.16.185.33/32
> map hme0 68.16.185.133/32 -> 192.168.200.40/32
> map hme0 192.168.200.59/32 -> 68.16.185.34/32
> map hme0 68.16.185.134/32 -> 192.168.200.59/32
>
>
> List of active sessions:
>
> List of active host mappings: