Hi all,
I have been using DS cd 1.02 since it came out and I have had no problems. Today I
endeavored to put in a webserver on a private DMZ. It is obvious that I am now
exceeding my knowledge of this subject. My private net still works but I can't get the
dmz to go. I think that the new card is working as it blinks when I ping but who
knows... I am sure that I have something wrong as I get denied www packets in the
output log but I don't know where I went wrong. I have include every thing I can think
of including the output of a debug script I wrote a while back. I really didn't think
that *I* would need it. I have one static IP so I a using a PRIVATE DMZ. In short I
have made these changes to /etc/network.conf.
Thanks for any Help Robert
DMZ_OUTBOUND_ALL=YES
DMZ_SWITCH=PRIVATE
DMZ_IF="eth2"
DMZ_SERVER0="tcp $EXTERN_IP www 192.168.2.1 www"
eth2_IPADDR=192.164.2.254
eth2_MASKLEN=24
eth2_BROADCAST=+
#eth2_ROUTES=
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
EXTERN_TCP_PORT1="0/0 www"
and these changes to the web server....
WEB server
/etc/hosts
127.0.0.1 localhost
192.168.2.1 web loghost
192.168.2.254 firewall
/etc/defaultrouter
192.168.2.254
Feb 21 18:16:10 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=46190 F=0x4000 T=254 SYN (#8)
Feb 21 18:16:12 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=46191 F=0x4000 T=254 SYN (#8)
Feb 21 18:16:18 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=7653 F=0x4000 T=254 SYN (#8)
Pings From firewall
firewall: /root # ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
--- 192.168.2.1 ping statistics ---
12 packets transmitted, 0 packets received, 100% packet loss
firewall: /root # ping 192.168.2.254
PING 192.168.2.254 (192.168.2.254): 56 data bytes
--- 192.168.2.254 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
firewall: /root #
firewall: /root #
firewall: /root # ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): 56 data bytes
64 bytes from 192.168.1.2: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 192.168.1.2: icmp_seq=1 ttl=255 time=0.9 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=255 time=0.9 ms
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.8/0.9 ms
cat /tmp/debug.sink
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
Info For Routing Problems
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ip addr show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope global lo
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:05:00:a5:a4 brd ff:ff:ff:ff:ff:ff
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:bf:1c:63:65 brd ff:ff:ff:ff:ff:ff
inet 64.171.17.147/29 brd 64.171.17.151 scope global eth0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:bf:1c:4c:3e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f0:79:9c:94 brd ff:ff:ff:ff:ff:ff
inet 192.164.2.254/24 brd 192.164.2.255 scope global eth2
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ip route show
64.171.17.144/29 dev eth0 proto kernel scope link src 64.171.17.147
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
192.164.2.0/24 dev eth2 proto kernel scope link src 192.164.2.254
default via 64.171.17.145 dev eth0
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ip neighbor show
64.171.17.145 dev eth0 lladdr 00:00:89:2b:83:be nud stale
192.168.1.2 dev eth1 lladdr 00:05:02:70:38:08 nud reachable
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ip -s link show
1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
672 6 0 0 0 0
TX: bytes packets errors dropped carrier collsns
672 6 0 0 0 0
2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop
link/ether fe:fd:05:00:a5:a4 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:bf:1c:63:65 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
361559 833 0 0 0 0
TX: bytes packets errors dropped carrier collsns
76978 626 0 0 0 0
8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:bf:1c:4c:3e brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
157156 1621 0 0 0 0
TX: bytes packets errors dropped carrier collsns
744495 1825 0 0 0 15
9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f0:79:9c:94 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
5220 87 0 0 0 0
TX: bytes packets errors dropped carrier collsns
0 0 0 0 0 0
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
arp -an
/usr/local/bin/debug: arp: command not found
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
64.171.17.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.164.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 64.171.17.145 0.0.0.0 UG 0 0 0 eth0
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
netstat -nre
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
64.171.17.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.164.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 64.171.17.145 0.0.0.0 UG 0 0 0 eth0
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /etc/network_direct.conf
cat: /etc/network_direct.conf: No such file or directory
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# Information about this file is available in the `libc6-doc' package.
passwd: files
group: files
shadow: files
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /etc/hosts
# This file was generated by /etc/rcS.d/S39network. It may be overwritten!
192.168.1.254 firewall.private.network firewall fw
127.0.0.1 localhost
pinging 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=0.7 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.4 ms
--- 192.168.1.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.7 ms
pinging 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.4 ms
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /etc/resolv.conf
# This file was generated by /etc/rcS.d/S39network. It may be overwritten!
search private.network
nameserver 206.13.28.12
nameserver 206.13.31.12
nameserver 127.0.0.1
pinging 206.13.28.12
PING 206.13.28.12 (206.13.28.12): 56 data bytes
64 bytes from 206.13.28.12: icmp_seq=0 ttl=249 time=21.1 ms
64 bytes from 206.13.28.12: icmp_seq=1 ttl=249 time=19.7 ms
--- 206.13.28.12 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 19.7/20.4/21.1 ms
pinging 206.13.31.12
PING 206.13.31.12 (206.13.31.12): 56 data bytes
64 bytes from 206.13.31.12: icmp_seq=0 ttl=245 time=23.9 ms
64 bytes from 206.13.31.12: icmp_seq=1 ttl=245 time=23.6 ms
--- 206.13.31.12 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 23.6/23.7/23.9 ms
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
INTERN_IP is 192.168.1.254
pinging 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.4 ms
--- 192.168.1.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
eth0_DEFAULT_GW is 64.171.17.145
pinging 64.171.17.145
PING 64.171.17.145 (64.171.17.145): 56 data bytes
64 bytes from 64.171.17.145: icmp_seq=0 ttl=49 time=1.5 ms
64 bytes from 64.171.17.145: icmp_seq=1 ttl=49 time=1.2 ms
--- 64.171.17.145 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1.2/1.3/1.5 ms
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /etc/network.conf
###############################################################################
# Extended firewall configruation scripts
# By Charles Steinkuehler
# Version 1.3.2
# September 29, 2001
###############################################################################
# Brief instructions for this file
###############################################################################
#
# VERBOSE=(YES/NO) Default: Yes
# Be verbose about settings.
#
# MAX_LOOP=(int) Default: 10
# Maximum number of incrementable entries to search for.
# IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached.
# (DNS0 - DNS7 == 8 entires)
# Setting this value too high will decrease the speed of the configuation
# system.
#
# IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO
# Enable IP forwarding in the kernel. FILTER_ON means forwarding will
# only happen when IP filtering rules are loaded
#
# IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO
# Enable IP Global defragmentation in the kernel.
#
# **WARNING** - If this was turned on everywhere in a network of routers,
# it can result in TCP connections failing and TCP connection resets.
#
# ONLY turn this on if the box is a firewall or the single point of
# entry for a network, or an endpoint for port forwarding or a load
# balancer for a WWW server farm. DO NOT turn this on if the box is a
# conventional router as it breaks the TCP/IP RFCes. This option is
# needed when using IP NAT, IP masquerading, IP autofw, IP portfw,
# transperent proxying or other kernel operations that intercept a
# packet flow and redirect it.
#
# It is a usful tool when using a packet filtering router to protect
# directly attached ethernet networks of servers as it stops fragment
# attacks on the servers in behind the router. Another use is packet
# filtering router to protect dial-in Internet users on NASes
# (Portmasters, TC racks etc) from various SMB and fragment attacks
# and to redirect all WWW connections into a WWW proxy-caching server.
#
# CONFIG_HOSTNAME=(YES/NO) Default: NO
# Create /etc/hostname file using HOSTNAME entry.
# Any current hostname file will be **OVERWRITTEN**
#
# CONFIG_HOSTSFILE=(YES/NO) Default: NO
# Create /etc/hosts file using HOSTSx entries.
# Any current hosts file will be **OVERWRITTEN**
#
# CONFIG_DNS=(YES/NO) Default: NO
# Create /etc/resolv.conf file using DOMAINS and DNSx entries.
# Any current resolv.conf file will be **OVERWRITTEN**
#
# IF_LIST Default: "$IF_AUTO"
# A space seperated list of interfaces that can be ACTIVE on this machine
# This controls which interfaces can be brought up and down manually.
#
# IF_AUTO Default: "eth0"
# A space seperated list of interfaces that get started on boot. Tunneling
# interfaces like CIPE should be after the raw interfaces they depend on.
# The interfaces are started in the order they occur on the list, and are
# shutdown in the reverse order of IF_LIST.
#
# IPFILTER_SWITCH=(none|router|firewall) Default: "none"
# Selects the basic IP filtering/firewalling setup of the router. "None"
# is used for a straight through router, "router" for a filtering router with
# IP spoof protection and Martian protection and "firewall" for a basic IP
# masquerading/NAT firewall. The basic filter types are provided in
# /etc/ipfilter.conf. If you want more than what is provided read the man
# pages for ipchains or ipfwadm and BE CAREFUL when you edit this!
#
###############################################################################
# General Settings
###############################################################################
VERBOSE=YES
MAX_LOOP=4
IPFWDING_KERNEL=FILTER_ON
IPALWAYSDEFRAG_KERNEL=YES
CONFIG_HOSTNAME=YES
CONFIG_HOSTSFILE=YES
CONFIG_DNS=YES
###############################################################################
# Interfaces
###############################################################################
# Start pppd PPP interfaces first as pppd's use of DNS can delay startup.
#
# Interfaces to start on boot go here - ie "ppp0 eth0"
# Do NOT include interfaces configured by dhcp!
IF_AUTO="eth0 eth1 eth2"
# List of all configured interfaces, manual start and boot start
IF_LIST="$IF_AUTO"
# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
# WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
# Kernel logging of spoofed packets by default for interfaces - YES/NO
DEF_IP_KRNL_LOGMARTIANS=YES
# Bridge Setup - Global stuff
#
# Enable bridging - YES/NO
BRG_SWITCH=NO
# Exempt ethernet protocol types - type "brcfg list" to find out allowed
# values
BRG_EXEMPT_PROTOS=""
###############################################################################
eth0_IPADDR=64.171.17.147
eth0_MASKLEN=29
eth0_BROADCAST=+
# Use this to set the default route if required - ONLY one to be set.
# routed or gated could be used to set this so only use if not running these.
eth0_DEFAULT_GW=64.171.17.145
# Secondary IP addresses/networks on same wire - add them here
#eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24"
# Additional routes for this interface, if any
# Space seperated list: <PREFIX>[_<more ip route options>]
#eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18"
# IP spoofing protection on this interface - YES/NO
eth0_IP_SPOOF=YES
# Kernel logging of spoofed packets on this interface - YES/NO
eth0_IP_KRNL_LOGMARTIANS=YES
# This setting affects the processing of ICMP redirects. Setting it to NO
# makes this more secure. Don't turn this off if you have two IP
# networks/subnets on the same media - YES/NO
eth0_IP_SHARED_MEDIA=NO
# Bridge this interface - YES/NO
eth0_BRIDGE=NO
# Proxy-arp from this interface, no other config required to turn on proxy ARP!
# - YES/NO
eth0_PROXY_ARP=NO
# Simple QoS/fair queueing support
# Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO
eth0_FAIRQ=NO
# Ethernet Transmit Queue Length
# eth0_TXQLEN=100
# Complex QoS - Enable all of these + above to turn it on
#eth0_BNDWIDTH=10Mbit # Device bandwidth
#eth0_HNDL=2 # Queue Handle - must be unique
#eth0_IABURST=100 # Interactive Burst
#eth0_IARATE=1Mbit # Interactive Rate
#eth0_PXMTU=1514 # Physical MTU - includes Link Layer header
###############################################################################
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=+
eth1_IP_SPOOF=YES
eth1_IP_KRNL_LOGMARTIANS=YES
eth1_IP_SHARED_MEDIA=NO
eth1_BRIDGE=NO
eth1_PROXY_ARP=NO
eth1_FAIRQ=NO
###############################################################################
eth2_IPADDR=192.164.2.254
eth2_MASKLEN=24
eth2_BROADCAST=+
#eth2_ROUTES=
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
###############################################################################
# NAT 'virtual' interface (optional: required only for static-NAT DMZ systems)
###############################################################################
# Configured as an interface to allow flexible handling of bringing the
# routing rules up/down in conjunction with the physical interfaces
# interface spec is an indexed list of IP address pairs and a base priority
# number for ip rule creation
#nat0_BASE_PRI=100 # Unique base value for ip rules
# Indexed list: <public IP> <private DMZ IP>
#nat0_PAIR0="1.1.2.3 192.168.2.13"
#nat0_PAIR1="1.1.2.4 192.168.2.14"
#nat0_PAIR2="1.1.2.5 192.168.2.15"
# Sangoma FR example
#fr498_IPADDR=10.0.10.1
#fr498_PTPADDR=10.0.10.2
#fr498_IP_SPOOF=YES
#fr498_IP_KRNL_LOGMARTIANS=YES
# Simple QoS support
#fr498_FAIRQ=YES
#fr498_TXQLEN=50
# Complex FR QoS - Enable ALL of these + above to turn it on
#fr498_FRBURST=960Kbit # FR Burst capacity (a rate)
#fr498_BULKRATE=320Kbit # Usually you set this to the CIR
#fr498_BULKBURST=50 # Number of packets that can burst in bulk class
#fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface
#fr498_IABURST=512 # No of Interactive Burst packets
#fr498_IARATE=640Kbit # Burst capicity bandwith between
# BURST and CIR
#fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+
#fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header)
# PPP interface stuff - these apply to all ASYNC ppp interfaces, options
# same as ethernet above.
#ppp_BNDWIDTH=30Kbit
#ppp_FAIRQ=YES
#ppp_TXQLEN=30
#ppp_IABURST=20
#ppp_IARATE=10Kbit
#ppp_PXMTU=1500
###############################################################################
# IP Filter setup - can pull in settings from above
###############################################################################
# Set up the basic type of filtering. Can be one of (none|router|firewall)
# You must load the ip_masq_* modules to enable full IP masquerading, and
# ip_masq_portfw if you want to forward external ports pop-3, mtp, www
# to internal machines below.
IPFILTER_SWITCH=firewall
# This set of variables is used with both sets of filters
SNMP_BLOCK=YES # Block all SNMP (YES/NO)
# List of IP Nos used for SNMP management
#SNMP_MANAGER_IPS="10.100.1.2"
# Fair Queuing support
# List of Mark values
MRK_CRIT=1 # Critical traffic, routing, DNS
MRK_IA=2 # Interactive traffic - telnet, ssh, IRC
# List of traffic types and maps to mark values
# Setting this variable turns on the
# fairq chain
CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp
${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet
${MRK_IA}_tcp_0/0_ssh"
# NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/
# port forwarding when EXTERN_DYNADDR is on because some security
# leaks will result. You may also want to limit the external open
# ports to domain (UDP) for DNS. Anyhow, these features are not that
# usable unless you have a static external address
#
EXTERN_IF="eth0" # External Interface
# Added for DHCP support
# Setting this to YES causes the dhcp client to try to configure the
# interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly
# from the interfaceB
EXTERN_DHCP=NO # YES/NO
# The interface(s) to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if you
# are using DHCP
EXTERN_DYNADDR=NO # YES/NO
# - or -
# External Interface IP number...the default should be fine for most folks
eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
#EXTERN_IP="64.171.17.147"
# Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
#EXTERN_IP=DYNAMIC
# If external interface IP is dynamic, read the configured IP address
# This should probably be moved to the init.d network script, but I put it
# here for now, as it is more obvious what it is doing, in case it
# messes something else up.
if [ "$EXTERN_DHCP" = "YES" -o \
"$EXTERN_DHCP" = "Yes" -o \
"$EXTERN_DHCP" = "yes" -o \
"$EXTERN_IP" = "DYNAMIC" ] ; then
# This computes the IP address of $EXTERN_IF
EXTERN_IP=`ip addr list label $EXTERN_IF | \
grep inet | sed '1!d' | \
sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'`
# If the external address is not configured, use a bogus address for the
# external interface to prevent a bunch of (harmless) errors that spit out
# when the IPCHAINS script is called.
if [ x$EXTERN_IP = x ]; then
EXTERN_IP=192.168.254.254
fi
fi
# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37"
# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# ICMP types to open
# Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]"
#EXTERN_ICMP_PORT0="0/0 : 1.1.1.12"
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_UDP_PORT0="0/0 domain"
#EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12"
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023"
# -or-
# Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]"
#EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12"
EXTERN_TCP_PORT1="0/0 www"
EXTERN_TCP_PORT0="0/0 www"
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 5.6.7.8/32"
#EXTERN_PROTO1="51 5.6.7.8/32"
###############################################################################
# Internal Interface
###############################################################################
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF="eth1" # Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST="tcp_0/0_ssh"
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh"
###############################################################################
# Port Forwarding
###############################################################################
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp
tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
# These lines use the primary external IP address...if you need to port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
#INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
# Advanced settings: parameters passed directly to portfw and autofw
# Indexed list: "<ipmasqadm portfw options>"
#INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]"
#INTERN_SERVER1=""
# Indexed list: "<ipmasqadm autofw options>"
#INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1"
#INTERN_AUTOFW1=""
###############################################################################
# DMZ setup (optional)
###############################################################################
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=PRIVATE
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24
# DMZ switches for all flavors except PRIVATE
###############################################################################
# For NAT DMZ's:
# DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the
# public IP range being NAT'd to DMZ_NET. Any systems
DMZ_SRC=1.1.1.0/27
# For Proxy-Arp or NAT DMZ's only:
# For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT)
# specification, above, that are NOT remote systems reached via DMZ_IF must
# be listed here. This potentially includes IP's of this LRP system, your
# gateway, and systems connected to your external interface.
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
## Both of the following should be used together - ie if you turn on
## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST!
# Allows inbound connections to high tcp ports (>1023)
# You can also allow to specific machines using 1024: (or a smaller range)
# as the dest port range in DMZ_OPEN_DEST (RECOMMENDED)
DMZ_HIGH_TCP_CONNECT=NO
## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs
DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
# Inbound services to allow to the DMZ
# <protocol>_<destination IP/network>_<destination port or range>
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
tcp_1.1.2.13_www"
# PRIVATE DMZ switches
###############################################################################
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
DMZ_SERVER0="tcp $EXTERN_IP www 192.168.2.1 www"
#DMZ_SERVER0="udp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.2.1 domain"
#DMZ_SERVER2="tcp 1.2.3.13 www 192.168.2.1 www"
#DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp"
#DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080"
# Allow all outbound traffic from DMZ (YES)
# or just traffic from port-forwarded servers (NO)
DMZ_OUTBOUND_ALL=YES
###############################################################################
# Interface activation/deactivation functions
# Here so that special interface commands can be called and daemons started
#
# Arps can be set up here, network/host routes and so forth.
#
# This appears to be a little messy but is needed to achieve maximum
# functionality and flexibility.
#
###############################################################################
echo_rtepfx () {
local IFS='_'
set -- $1
echo $1
}
echo_rteargs () {
local IFS='_'
set -- $1
shift
echo $@
}
# Function to add a static NAT translation
# $1 = Name of environment variable which contains IP address
# $2 = Action (add or del)
# $3 = Base priority value
# $y = Current walklist index count
do_nat () {
local PRIORITY=$(($3 + $y ))
local ACTION=$2
eval local args=\$$1
set -- $args
ip route $ACTION nat $1 via $2
ip rule $ACTION prio $PRIORITY from $2 nat $1
}
if_up () {
local ADDR
# sort out a few things to make life easier - here so that you
# can see what is done and so that you can add anything if needed
eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
eval local MASKLEN=\${"$1"_MASKLEN:-""}
eval local BROADCAST=\${"$1"_BROADCAST:-""}
eval local PTPADDR=\${"$1"_PTPADDR:-""}
eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
eval local ROUTES=\${"$1"_ROUTES:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local TXQLEN=\${"$1"_TXQLEN:-""}
eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
eval local BRIDGE=\${"$1"_BRIDGE:-""}
eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
if [ -n "$BROADCAST" ] ; then
IFCFG_BROADCAST="broadcast $BROADCAST"
fi
# Do dee global bridge stuff
brg_global
# Set default interface flags here - used for PPP and WAN interfaces
if_setproc default rp_filter $DEF_IP_SPOOF
if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
# Set up each interface
case $1 in
ppp0)
pppd call provider
;;
fr*)
wanconfig card wanpipe1 dev $1 start
ip addr add $IPADDR peer $PTPADDR dev $1
ip link set $1 up
# Fair queuing - this can be selected for any interface
ip_frQoS $1
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
;;
*) # default interface startup
brg_iface $1 up $BRIDGE
[ -n "$IPADDR" ] \
&& ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
for ADDR in $IP_EXTRA_ADDRS; do
ip addr add $ADDR dev $1
done
ip link set $1 up
case "$PROXY_ARP" in
YES|Yes|yes)
ip route flush dev $1
;;
*)
;;
esac
# Fair queuing - this can be selected for any interface
ip_QoS $1
;;
esac
for route in $ROUTES; do
ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
done
# Do universal interface config items here
# Default route support
[ -n "$DEFAULT_GW" ] \
&& ip route replace default via $DEFAULT_GW dev $1
# Set the TX Queue Length
[ -n "$TXQLEN" ] \
&& ip link set $1 txqlen $TXQLEN
# Spoof protection
if_setproc $1 rp_filter $IP_SPOOF
# Kernel logging of martians on this interface
if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
# Shared Media stuff
if_setproc $1 shared_media $IP_SHARED_MEDIA
# Proxy ARP support
if_setproc $1 proxy_arp $PROXY_ARP
return 0
}
if_down () {
# Do Dee global bridge stuff
brg_global
case $1 in
ppp*)
[ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
sleep 5 # Wait for pppd to die
;;
fr*)
qt ip link set $1 down
qt ip addr flush dev $1
qt wanconfig card wanpipe1 dev $1 stop
;;
nat*)
eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
;;
*) # default action
brg_iface $1 down
ip link set $1 down # This also kills any routes
qt ip addr flush dev $1
;;
esac
# Clean up any QoS/fair queuing stuff
ip_QoSclear $1
true
} #END if_down
###############################################################################
# Hostname Requires: CONFIG_HOSTNAME=YES
###############################################################################
HOSTNAME=firewall
###############################################################################
# Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES
###############################################################################
# IP FQDN hostname alias1 alias2..
HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw"
#HOSTS1="192.168.1.22 host2.private.network host2 h2"
###############################################################################
# Domain Search Order and Name Servers Requires: CONFIG_DNS=YES
###############################################################################
DOMAINS="private.network"
DNS0=127.0.0.1
DNS0=206.13.28.12
DNS1=206.13.31.12
###############################################################################
# QoS/Fariqueing functions
###############################################################################
ip_QoSclear () {
[ -x /sbin/tc ] \
&& qt tc qdisc del dev $1 root
return 0
}
ip_frQoS () {
# Set some vaiables
eval local FAIRQ=\${"$1"_FAIRQ:-""}
eval local BULKRATE=\${"$1"_BULKRATE:-""}
eval local BULKBURST=\${"$1"_BULKBURST:-""}
eval local FRBURST=\${"$1"_FRBURST:-""}
eval local HNDL=\${"$1"_HNDL:-""}
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
eval local IARATE=\${"$1"_IARATE:-""}
eval local IABURST=\${"$1"_IABURST:-""}
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \
-o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \
-o -z "$BULKBURST" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $BULKBURST \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive Class
tc class add dev $1 parent $HNDL:0 classid :2 \
est 2sec 16sec cbq bandwidth $BNDWIDTH \
rate $IARATE allot $PXMTU bounded weight 1 prio 6 \
avpkt 1000 maxburst $IABURST \
split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 \
est 1sec 8sec cbq bandwidth $BNDWIDTH \
rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \
avpkt 1000 maxburst 21
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2
return 0
}
ip_QoS () {
# Set some vaiables
eval local HNDL=\${"$1"_HNDL:-""}
eval local FAIRQ=\${"$1"_FAIRQ:-""}
if [ -z "$FAIRQ" -a -n "$2" ]; then
local FAIRQ=$2
fi
eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""}
if [ -z "$BNDWIDTH" -a -n "$3" ]; then
local BNDWIDTH=$3
fi
eval local PXMTU=\${"$1"_PXMTU:-""}
if [ -z "$PXMTU" -a -n "$4" ]; then
local PXMTU=$4
fi
eval local IARATE=\${"$1"_IARATE:-""}
if [ -z "$IARATE" -a -n "$5" ]; then
local IARATE=$5
fi
eval local IABURST=\${"$1"_IABURST:-""}
if [ -z "$IABURST" -a -n "$6" ]; then
local IABURST=$6
fi
if [ ! -x /sbin/tc ]; then
return 1
fi
if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ]
then
return 1
fi
if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \
-o -z "$PXMTU" ]; then
tc qdisc replace dev $1 root sfq
return 0
fi
# Attach CBQ to device
tc qdisc add dev $1 root handle $HNDL: cbq \
bandwidth $BNDWIDTH \
avpkt 1000
# Set up classes
# Bulk class
tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \
split $HNDL:0 defmap ff7f
tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15
# Interactive class
tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \
cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \
allot $PXMTU avpkt 1000 bounded isolated weight 1 \
prio 2 split $HNDL:0 defmap 80
tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15
# Priority class
tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \
cbq bandwidth $BNDWIDTH rate $BNDWIDTH \
allot $PXMTU avpkt 1000 bounded weight 1 prio 1
tc qdisc add dev $1 parent $HNDL:3 pfifo
# Add filters
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 50 handle $MRK_CRIT fw classid $HNDL:3
tc filter add dev $1 parent $HNDL:0 protocol ip \
priority 60 handle $MRK_IA fw classid $HNDL:2 \
return 0
}
###############################################################################
# End
###############################################################################
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
Info For Firewall Trouble
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.254:22 192.168.1.2:49490 ESTABLISHED
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1023 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:53 0.0.0.0:*
udp 0 0 0.0.0.0:69 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:* 7
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ACC ] STREAM LISTENING 1707 /dev/log
unix 1 [ ] STREAM CONNECTED 1710 @00000001
unix 1 [ ] STREAM CONNECTED 1740 @00000005
unix 1 [ ] STREAM CONNECTED 1741 /dev/log
unix 1 [ ] STREAM CONNECTED 1711 /dev/log
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
ipchains -L -n -v
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
7 363 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0
255.255.255.255 * -> *
15 480 DENY igmp ------ 0xFF 0x00 eth0
64.171.17.145 0.0.0.0/0 n/a
62 3224 DENY udp ------ 0xFF 0x00 eth0
64.171.17.145 0.0.0.0/0 * -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
64.171.17.147 0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0
127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0
192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
20 1560 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
15 600 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
64.171.17.147 * -> 80
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
64.171.17.147 * -> 80
15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 113
509 332K ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
0 0 REJECT udp ----l- 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 161:162
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 53
0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 68
0 0 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 67
9 2224 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
9 728 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 n/a
122 4920 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 n/a
0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 * -> 161:162
0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 161:162 -> *
1576 129K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 MASQ all ------ 0xFF 0x00 eth2
192.168.1.0/24 192.168.2.0/24 n/a
0 0 MASQ all ------ 0xFF 0x00 eth0
192.168.2.0/24 0.0.0.0/0 n/a
0 0 MASQ tcp ------ 0xFF 0x00 eth1
192.168.2.0/24 192.168.1.0/24 80 -> *
492 56976 MASQ all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth2 0.0.0.0/0
192.168.2.0/24 n/a
0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain output (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
2524 788K fairq all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
255.255.255.255 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
127.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
224.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
10.0.0.0/8 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
172.16.0.0/12 0.0.0.0/0 n/a
57 2991 DENY all ----l- 0xFF 0x00 eth0
192.168.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
128.0.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
191.255.0.0/16 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
192.0.0.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
223.255.255.0/24 0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00 eth0
240.0.0.0/4 0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00 eth0
192.168.1.0/24 0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0
0.0.0.0/0 135 -> *
2467 785K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0
0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark outsize source
destination ports
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 520
0 0 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 520 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 179
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 179 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
0 0 RETURN tcp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
9 602 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 * -> 53
2 264 RETURN udp ------ 0xFF 0x00 * 0x1
0.0.0.0/0 0.0.0.0/0 53 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 23
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 23 -> *
0 0 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 * -> 22
1030 82111 RETURN tcp ------ 0xFF 0x00 * 0x2
0.0.0.0/0 0.0.0.0/0 22 -> *
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
Info For Hardware Problems
*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
free
total: used: free: shared: buffers: cached:
Mem: 47955968 18612224 29343744 7098368 7356416 4153344
Swap: 0 0 0
MemTotal: 46832 kB
MemFree: 28656 kB
MemShared: 6932 kB
Buffers: 7184 kB
Cached: 4056 kB
SwapTotal: 0 kB
SwapFree: 0 kB
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ram0 12155 5235 6920 43% /
/dev/ram1 4049 159 3890 4% /var/log
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dmesg
<snip>
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /var/log/syslog
<snip>
Feb 21 17:58:51 firewall kernel: rtl8139.c:v1.12 9/14/2000 Donald Becker,
[EMAIL PROTECTED]
Feb 21 17:58:51 firewall kernel: http://www.scyld.com/network/rtl8139.html
Feb 21 17:58:51 firewall kernel: eth0: RealTek RTL8139 Fast Ethernet at 0x6000, IRQ
10, 00:50:bf:1c:63:65.
Feb 21 17:58:51 firewall kernel: eth1: RealTek RTL8139 Fast Ethernet at 0x6100, IRQ
11, 00:50:bf:1c:4c:3e.
Feb 21 17:58:51 firewall kernel: tulip.c:v0.92m 9/22/2000 Written by Donald Becker
<[EMAIL PROTECTED]>
Feb 21 17:58:51 firewall kernel: http://www.scyld.com/network/tulip.html
Feb 21 17:58:51 firewall kernel: eth2: Lite-On PNIC-II rev 37 at 0xc3868000,
00:40:F0:79:9C:94, IRQ 9.
<snip>
Feb 21 18:16:26 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=7657 F=0x4000 T=254 SYN (#8)
Feb 21 18:16:32 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=1938 F=0x4000 T=254 SYN (#8)
Feb 21 18:16:43 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=1939 F=0x4000 T=254 SYN (#8)
Feb 21 18:16:59 firewall kernel: Packet log: output DENY eth0 PROTO=6
192.168.1.2:49501 192.168.2.1:80 L=65 S=0x00 I=1940 F=0x4000 T=254 (#8)
<snip>
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /var/log/messages
<snip>
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /proc/interrupts
CPU0
0: 189089 XT-PIC timer
1: 2 XT-PIC keyboard
2: 0 XT-PIC cascade
4: 251 XT-PIC serial
8: 2 XT-PIC rtc
9: 91 XT-PIC eth2
10: 1463 XT-PIC eth0
11: 3477 XT-PIC eth1
13: 1 XT-PIC fpu
14: 553 XT-PIC ide0
15: 16 XT-PIC ide1
NMI: 0
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
cat /proc/ioports
0000-001f : dma1
0020-003f : pic1
0040-005f : timer
0060-006f : keyboard
0070-007f : rtc
0080-008f : dma page reg
00a0-00bf : pic2
00c0-00df : dma2
00f0-00ff : fpu
0170-0177 : ide1
01f0-01f7 : ide0
02f8-02ff : serial(auto)
0376-0376 : ide1
03d4-03d5 : cga
03e8-03ef : serial(auto)
03f6-03f6 : ide0
03f8-03ff : serial(auto)
3000-3007 : ide0
3008-300f : ide1
6000-607f : eth0
6100-617f : eth1
c3868000-c38680ff : eth2
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
