Charles, et al,
Now that my system is FINALLY up and working at 95%, there is one thing not
behaving as expected. I have been looking thru my doc links, trying to find
a reference to this, and came up blank. I thought I had read somewhere that
the default behavior was to allow all traffic from Internal to DMZ ---
useful for managing the servers that live there; but disallowing
DMZ-initiated traffic back into the Internal network.
Here's what I am getting:
Jun 25 06:42:16 cuinn kernel: Packet log: forward DENY eth1 PROTO=6
64.81.226.171:80 192.168.1.201:2539 L=48 S=0x00 I=1095 F=0x4000 T=63 (#41)
For everything, including pings and UDP...
Filters (I'm still no ace at reading this):
Packet Filter:
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
15 591 DENY udp ------ 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 * -> 61000:64999
0 0 DENY udp ------ 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 * -> 61000:64999
0 0 DENY tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 119
28 2528 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
5 197 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
51 2228 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 dmzSpoof all ------ 0xFF 0x00 eth0
64.81.226.168/29 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
64.81.226.174 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0
0.0.0.0/0 192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
32 2496 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
1042K 77M dmzIn all ------ 0xFF 0x00 eth0
0.0.0.0/0 64.81.226.168/29 n/a
4 208 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 113
26440 4804K ACCEPT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 DENY udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 67
158K 19M ACCEPT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 1024:65535
9 504 ACCEPT icmp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
9 504 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 161:162 -> *
805K 98M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 DENY icmp ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 5 -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> 53
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> 22
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> 53
40165 2252K ACCEPT icmp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 6003
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 6003
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 7002
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 7002
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27005
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27010
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27011
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27012
78927 3053K ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27015
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 27016
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 28900
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 6003
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 6003
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 7002
0 0 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 7002
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27005
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27010
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27011
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27012
729K 46M ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27015
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 27016
0 0 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 28900
8 1256 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 80
3 144 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.171 * -> 21
483 46051 ACCEPT tcp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.171 * -> 80
6481 271K ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.171 * -> 1024:64999
20 2148 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.173 * -> 1024:64999
53 12756 ACCEPT udp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.172 * -> 1024:64999
1457 1149K ACCEPT tcp !y---- 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> 1024:65535
0 0 ACCEPT icmp ------ 0xFF 0x00 eth2
0.0.0.0/0 64.81.226.168/29 * -> *
1783 217K ACCEPT tcp ------ 0xFF 0x00 eth0
64.81.226.168/29 0.0.0.0/0 * -> *
7316 490K ACCEPT icmp ------ 0xFF 0x00 eth0
64.81.226.168/29 0.0.0.0/0 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00 eth0
64.81.226.168/29 0.0.0.0/0 53 -> *
615K 85M ACCEPT udp ------ 0xFF 0x00 eth0
64.81.226.168/29 0.0.0.0/0 * -> *
176K 12M MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
304 18662 DENY all ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
1843K 176M fairq all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
0.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0
0.0.0.0/0 0.0.0.0/0 135 -> *
1843K 176M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
2018 138K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
2004 279K RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
1928 604K RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
Chain dmzSpoof (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.168 0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.169 0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.170 0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.175 0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.1 0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00 *
64.81.226.174 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
Chain dmzIn (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize
source destination ports
0 0 RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.168 n/a
0 0 RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.169 n/a
0 0 RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.170 n/a
0 0 RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.175 n/a
0 0 RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.1 n/a
185K 24M RETURN all ------ 0xFF 0x00 *
0.0.0.0/0 64.81.226.174 n/a
857K 53M ACCEPT all ------ 0xFF 0x00 *
0.0.0.0/0 0.0.0.0/0 n/a
So my question: Is there a simple configuration that does a blanket
allowance of Internal requests into the DMZ, or do I need to configure
individual IPMASQADM statements for every case?
Thanks again for all the previous help,
Dan
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
