Hi all, I have been using DS cd 1.02 since it came out and I have had no problems. Today I endeavored to put in a webserver on a private DMZ. It is obvious that I am now exceeding my knowledge of this subject. My private net still works but I can't get the dmz to go. I think that the new card is working as it blinks when I ping but who knows... I am sure that I have something wrong as I get denied www packets in the output log but I don't know where I went wrong. I have include every thing I can think of including the output of a debug script I wrote a while back. I really didn't think that *I* would need it. I have one static IP so I a using a PRIVATE DMZ. In short I have made these changes to /etc/network.conf.
Thanks for any Help Robert DMZ_OUTBOUND_ALL=YES DMZ_SWITCH=PRIVATE DMZ_IF="eth2" DMZ_SERVER0="tcp $EXTERN_IP www 192.168.2.1 www" eth2_IPADDR=192.164.2.254 eth2_MASKLEN=24 eth2_BROADCAST=+ #eth2_ROUTES= eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=NO eth2_FAIRQ=NO EXTERN_TCP_PORT1="0/0 www" and these changes to the web server.... WEB server /etc/hosts 127.0.0.1 localhost 192.168.2.1 web loghost 192.168.2.254 firewall /etc/defaultrouter 192.168.2.254 Feb 21 18:16:10 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=46190 F=0x4000 T=254 SYN (#8) Feb 21 18:16:12 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=46191 F=0x4000 T=254 SYN (#8) Feb 21 18:16:18 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49498 192.168.2.1:80 L=48 S=0x00 I=7653 F=0x4000 T=254 SYN (#8) Pings From firewall firewall: /root # ping 192.168.2.1 PING 192.168.2.1 (192.168.2.1): 56 data bytes --- 192.168.2.1 ping statistics --- 12 packets transmitted, 0 packets received, 100% packet loss firewall: /root # ping 192.168.2.254 PING 192.168.2.254 (192.168.2.254): 56 data bytes --- 192.168.2.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss firewall: /root # firewall: /root # firewall: /root # ping 192.168.1.2 PING 192.168.1.2 (192.168.1.2): 56 data bytes 64 bytes from 192.168.1.2: icmp_seq=0 ttl=255 time=0.7 ms 64 bytes from 192.168.1.2: icmp_seq=1 ttl=255 time=0.9 ms 64 bytes from 192.168.1.2: icmp_seq=2 ttl=255 time=0.9 ms --- 192.168.1.2 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.7/0.8/0.9 ms cat /tmp/debug.sink *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* Info For Routing Problems *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ip addr show 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope global lo 2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip 6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop link/ether fe:fd:05:00:a5:a4 brd ff:ff:ff:ff:ff:ff 7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:bf:1c:63:65 brd ff:ff:ff:ff:ff:ff inet 64.171.17.147/29 brd 64.171.17.151 scope global eth0 8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:bf:1c:4c:3e brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:f0:79:9c:94 brd ff:ff:ff:ff:ff:ff inet 192.164.2.254/24 brd 192.164.2.255 scope global eth2 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ip route show 64.171.17.144/29 dev eth0 proto kernel scope link src 64.171.17.147 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.164.2.0/24 dev eth2 proto kernel scope link src 192.164.2.254 default via 64.171.17.145 dev eth0 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ip neighbor show 64.171.17.145 dev eth0 lladdr 00:00:89:2b:83:be nud stale 192.168.1.2 dev eth1 lladdr 00:05:02:70:38:08 nud reachable *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ip -s link show 1: lo: <LOOPBACK,UP> mtu 3924 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 RX: bytes packets errors dropped overrun mcast 672 6 0 0 0 0 TX: bytes packets errors dropped carrier collsns 672 6 0 0 0 0 2: ipsec0: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 3: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 4: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 5: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 link/ipip RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 6: brg0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop link/ether fe:fd:05:00:a5:a4 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 0 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 7: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:bf:1c:63:65 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 361559 833 0 0 0 0 TX: bytes packets errors dropped carrier collsns 76978 626 0 0 0 0 8: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:bf:1c:4c:3e brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 157156 1621 0 0 0 0 TX: bytes packets errors dropped carrier collsns 744495 1825 0 0 0 15 9: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:40:f0:79:9c:94 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 5220 87 0 0 0 0 TX: bytes packets errors dropped carrier collsns 0 0 0 0 0 0 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* arp -an /usr/local/bin/debug: arp: command not found *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 64.171.17.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.164.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 64.171.17.145 0.0.0.0 UG 0 0 0 eth0 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* netstat -nre Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 64.171.17.144 0.0.0.0 255.255.255.248 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.164.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 0.0.0.0 64.171.17.145 0.0.0.0 UG 0 0 0 eth0 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /etc/network_direct.conf cat: /etc/network_direct.conf: No such file or directory *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # Information about this file is available in the `libc6-doc' package. passwd: files group: files shadow: files hosts: files dns networks: files protocols: files services: files ethers: files rpc: files netgroup: files *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /etc/hosts # This file was generated by /etc/rcS.d/S39network. It may be overwritten! 192.168.1.254 firewall.private.network firewall fw 127.0.0.1 localhost pinging 192.168.1.254 PING 192.168.1.254 (192.168.1.254): 56 data bytes 64 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=0.7 ms 64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.4 ms --- 192.168.1.254 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.7 ms pinging 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.6 ms 64 bytes from 127.0.0.1: icmp_seq=1 ttl=255 time=0.4 ms --- 127.0.0.1 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.6 ms *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /etc/resolv.conf # This file was generated by /etc/rcS.d/S39network. It may be overwritten! search private.network nameserver 206.13.28.12 nameserver 206.13.31.12 nameserver 127.0.0.1 pinging 206.13.28.12 PING 206.13.28.12 (206.13.28.12): 56 data bytes 64 bytes from 206.13.28.12: icmp_seq=0 ttl=249 time=21.1 ms 64 bytes from 206.13.28.12: icmp_seq=1 ttl=249 time=19.7 ms --- 206.13.28.12 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 19.7/20.4/21.1 ms pinging 206.13.31.12 PING 206.13.31.12 (206.13.31.12): 56 data bytes 64 bytes from 206.13.31.12: icmp_seq=0 ttl=245 time=23.9 ms 64 bytes from 206.13.31.12: icmp_seq=1 ttl=245 time=23.6 ms --- 206.13.31.12 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 23.6/23.7/23.9 ms *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* INTERN_IP is 192.168.1.254 pinging 192.168.1.254 PING 192.168.1.254 (192.168.1.254): 56 data bytes 64 bytes from 192.168.1.254: icmp_seq=0 ttl=255 time=0.6 ms 64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.4 ms --- 192.168.1.254 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.5/0.6 ms *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* eth0_DEFAULT_GW is 64.171.17.145 pinging 64.171.17.145 PING 64.171.17.145 (64.171.17.145): 56 data bytes 64 bytes from 64.171.17.145: icmp_seq=0 ttl=49 time=1.5 ms 64 bytes from 64.171.17.145: icmp_seq=1 ttl=49 time=1.2 ms --- 64.171.17.145 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 1.2/1.3/1.5 ms *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /etc/network.conf ############################################################################### # Extended firewall configruation scripts # By Charles Steinkuehler # Version 1.3.2 # September 29, 2001 ############################################################################### # Brief instructions for this file ############################################################################### # # VERBOSE=(YES/NO) Default: Yes # Be verbose about settings. # # MAX_LOOP=(int) Default: 10 # Maximum number of incrementable entries to search for. # IE: If you create a DNS7=, and MAX_LOOP=7, it will not be reached. # (DNS0 - DNS7 == 8 entires) # Setting this value too high will decrease the speed of the configuation # system. # # IPFWDING_KERNEL=(YES/NO/FILTER_ON) Default: NO # Enable IP forwarding in the kernel. FILTER_ON means forwarding will # only happen when IP filtering rules are loaded # # IPALWAYSDEFRAG_KERNEL=(YES/NO) Default: NO # Enable IP Global defragmentation in the kernel. # # **WARNING** - If this was turned on everywhere in a network of routers, # it can result in TCP connections failing and TCP connection resets. # # ONLY turn this on if the box is a firewall or the single point of # entry for a network, or an endpoint for port forwarding or a load # balancer for a WWW server farm. DO NOT turn this on if the box is a # conventional router as it breaks the TCP/IP RFCes. This option is # needed when using IP NAT, IP masquerading, IP autofw, IP portfw, # transperent proxying or other kernel operations that intercept a # packet flow and redirect it. # # It is a usful tool when using a packet filtering router to protect # directly attached ethernet networks of servers as it stops fragment # attacks on the servers in behind the router. Another use is packet # filtering router to protect dial-in Internet users on NASes # (Portmasters, TC racks etc) from various SMB and fragment attacks # and to redirect all WWW connections into a WWW proxy-caching server. # # CONFIG_HOSTNAME=(YES/NO) Default: NO # Create /etc/hostname file using HOSTNAME entry. # Any current hostname file will be **OVERWRITTEN** # # CONFIG_HOSTSFILE=(YES/NO) Default: NO # Create /etc/hosts file using HOSTSx entries. # Any current hosts file will be **OVERWRITTEN** # # CONFIG_DNS=(YES/NO) Default: NO # Create /etc/resolv.conf file using DOMAINS and DNSx entries. # Any current resolv.conf file will be **OVERWRITTEN** # # IF_LIST Default: "$IF_AUTO" # A space seperated list of interfaces that can be ACTIVE on this machine # This controls which interfaces can be brought up and down manually. # # IF_AUTO Default: "eth0" # A space seperated list of interfaces that get started on boot. Tunneling # interfaces like CIPE should be after the raw interfaces they depend on. # The interfaces are started in the order they occur on the list, and are # shutdown in the reverse order of IF_LIST. # # IPFILTER_SWITCH=(none|router|firewall) Default: "none" # Selects the basic IP filtering/firewalling setup of the router. "None" # is used for a straight through router, "router" for a filtering router with # IP spoof protection and Martian protection and "firewall" for a basic IP # masquerading/NAT firewall. The basic filter types are provided in # /etc/ipfilter.conf. If you want more than what is provided read the man # pages for ipchains or ipfwadm and BE CAREFUL when you edit this! # ############################################################################### # General Settings ############################################################################### VERBOSE=YES MAX_LOOP=4 IPFWDING_KERNEL=FILTER_ON IPALWAYSDEFRAG_KERNEL=YES CONFIG_HOSTNAME=YES CONFIG_HOSTSFILE=YES CONFIG_DNS=YES ############################################################################### # Interfaces ############################################################################### # Start pppd PPP interfaces first as pppd's use of DNS can delay startup. # # Interfaces to start on boot go here - ie "ppp0 eth0" # Do NOT include interfaces configured by dhcp! IF_AUTO="eth0 eth1 eth2" # List of all configured interfaces, manual start and boot start IF_LIST="$IF_AUTO" # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES # Kernel logging of spoofed packets by default for interfaces - YES/NO DEF_IP_KRNL_LOGMARTIANS=YES # Bridge Setup - Global stuff # # Enable bridging - YES/NO BRG_SWITCH=NO # Exempt ethernet protocol types - type "brcfg list" to find out allowed # values BRG_EXEMPT_PROTOS="" ############################################################################### eth0_IPADDR=64.171.17.147 eth0_MASKLEN=29 eth0_BROADCAST=+ # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=64.171.17.145 # Secondary IP addresses/networks on same wire - add them here #eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24" # Additional routes for this interface, if any # Space seperated list: <PREFIX>[_<more ip route options>] #eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18" # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES # Kernel logging of spoofed packets on this interface - YES/NO eth0_IP_KRNL_LOGMARTIANS=YES # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO eth0_IP_SHARED_MEDIA=NO # Bridge this interface - YES/NO eth0_BRIDGE=NO # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO eth0_PROXY_ARP=NO # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO eth0_FAIRQ=NO # Ethernet Transmit Queue Length # eth0_TXQLEN=100 # Complex QoS - Enable all of these + above to turn it on #eth0_BNDWIDTH=10Mbit # Device bandwidth #eth0_HNDL=2 # Queue Handle - must be unique #eth0_IABURST=100 # Interactive Burst #eth0_IARATE=1Mbit # Interactive Rate #eth0_PXMTU=1514 # Physical MTU - includes Link Layer header ############################################################################### eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=+ eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=YES eth1_IP_SHARED_MEDIA=NO eth1_BRIDGE=NO eth1_PROXY_ARP=NO eth1_FAIRQ=NO ############################################################################### eth2_IPADDR=192.164.2.254 eth2_MASKLEN=24 eth2_BROADCAST=+ #eth2_ROUTES= eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=NO eth2_FAIRQ=NO ############################################################################### # NAT 'virtual' interface (optional: required only for static-NAT DMZ systems) ############################################################################### # Configured as an interface to allow flexible handling of bringing the # routing rules up/down in conjunction with the physical interfaces # interface spec is an indexed list of IP address pairs and a base priority # number for ip rule creation #nat0_BASE_PRI=100 # Unique base value for ip rules # Indexed list: <public IP> <private DMZ IP> #nat0_PAIR0="1.1.2.3 192.168.2.13" #nat0_PAIR1="1.1.2.4 192.168.2.14" #nat0_PAIR2="1.1.2.5 192.168.2.15" # Sangoma FR example #fr498_IPADDR=10.0.10.1 #fr498_PTPADDR=10.0.10.2 #fr498_IP_SPOOF=YES #fr498_IP_KRNL_LOGMARTIANS=YES # Simple QoS support #fr498_FAIRQ=YES #fr498_TXQLEN=50 # Complex FR QoS - Enable ALL of these + above to turn it on #fr498_FRBURST=960Kbit # FR Burst capacity (a rate) #fr498_BULKRATE=320Kbit # Usually you set this to the CIR #fr498_BULKBURST=50 # Number of packets that can burst in bulk class #fr498_BNDWIDTH=1920Kbit # The bandwidth of the interface #fr498_IABURST=512 # No of Interactive Burst packets #fr498_IARATE=640Kbit # Burst capicity bandwith between # BURST and CIR #fr498_HNDL=2 # The queue handle - must be unique Dialup PPP is 1000+ #fr498_PXMTU=1508 # The Physical MTU of the interface (data + MAC header) # PPP interface stuff - these apply to all ASYNC ppp interfaces, options # same as ethernet above. #ppp_BNDWIDTH=30Kbit #ppp_FAIRQ=YES #ppp_TXQLEN=30 #ppp_IABURST=20 #ppp_IARATE=10Kbit #ppp_PXMTU=1500 ############################################################################### # IP Filter setup - can pull in settings from above ############################################################################### # Set up the basic type of filtering. Can be one of (none|router|firewall) # You must load the ip_masq_* modules to enable full IP masquerading, and # ip_masq_portfw if you want to forward external ports pop-3, mtp, www # to internal machines below. IPFILTER_SWITCH=firewall # This set of variables is used with both sets of filters SNMP_BLOCK=YES # Block all SNMP (YES/NO) # List of IP Nos used for SNMP management #SNMP_MANAGER_IPS="10.100.1.2" # Fair Queuing support # List of Mark values MRK_CRIT=1 # Critical traffic, routing, DNS MRK_IA=2 # Interactive traffic - telnet, ssh, IRC # List of traffic types and maps to mark values # Setting this variable turns on the # fairq chain CLS_FAIRQ="${MRK_CRIT}_89_0/0 ${MRK_CRIT}_udp_0/0_route ${MRK_CRIT}_tcp_0/0_bgp ${MRK_CRIT}_tcp_0/0_domain ${MRK_CRIT}_udp_0/0_domain ${MRK_IA}_tcp_0/0_telnet ${MRK_IA}_tcp_0/0_ssh" # NOTE: Do NOT turn on the DMZ network or ANY external port masquerading/ # port forwarding when EXTERN_DYNADDR is on because some security # leaks will result. You may also want to limit the external open # ports to domain (UDP) for DNS. Anyhow, these features are not that # usable unless you have a static external address # EXTERN_IF="eth0" # External Interface # Added for DHCP support # Setting this to YES causes the dhcp client to try to configure the # interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly # from the interfaceB EXTERN_DHCP=NO # YES/NO # The interface(s) to configure via dhcp IF_DHCP=$EXTERN_IF # If YES, your firewall filters use 0/0 for your IP address, instead of your # actual IP address. Set this to NO for typical ethernet setups, even if you # are using DHCP EXTERN_DYNADDR=NO # YES/NO # - or - # External Interface IP number...the default should be fine for most folks eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\" #EXTERN_IP="64.171.17.147" # Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the # interface, but you arn't using DHCP (ie PPPoE and dialup users) #EXTERN_IP=DYNAMIC # If external interface IP is dynamic, read the configured IP address # This should probably be moved to the init.d network script, but I put it # here for now, as it is more obvious what it is doing, in case it # messes something else up. if [ "$EXTERN_DHCP" = "YES" -o \ "$EXTERN_DHCP" = "Yes" -o \ "$EXTERN_DHCP" = "yes" -o \ "$EXTERN_IP" = "DYNAMIC" ] ; then # This computes the IP address of $EXTERN_IF EXTERN_IP=`ip addr list label $EXTERN_IF | \ grep inet | sed '1!d' | \ sed 's/^[^.0-9]*\([.0-9]*\).*$/\1/'` # If the external address is not configured, use a bogus address for the # external interface to prevent a bunch of (harmless) errors that spit out # when the IPCHAINS script is called. if [ x$EXTERN_IP = x ]; then EXTERN_IP=192.168.254.254 fi fi # Traffic to completely ignore...define here to prevent filling your logs # Space seperated list: protocol_srcip[/mask][_dstport] #SILENT_DENY="udp_207.235.84.1_route udp_207.235.84.0/24_37" # Extra rule scripts added by Charles Steinkuehler to more easily support # non-standard extentions of the pre-configured ipchains rules IPCH_IN=/etc/ipchains.input IPCH_FWD=/etc/ipchains.forward IPCH_OUT=/etc/ipchains.output # ICMP types to open # Indexed list: "SrcAddr/Mask type [ DestAddr[/DestMask] ]" #EXTERN_ICMP_PORT0="0/0 : 1.1.1.12" ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS="0/0_domain 0/0_bootpc" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_UDP_PORT0="0/0 domain" #EXTERN_UDP_PORT1="5.6.7.8 500 1.1.1.12" # TCP services open to outside world # Space seperated list: srcip/mask_dstport #EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023" # -or- # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" #EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12" EXTERN_TCP_PORT1="0/0 www" EXTERN_TCP_PORT0="0/0 www" # Generic Services open to outside world # Space seperated list: protocol_srcip/mask_dstport #EXTERN_PORTS="50_5.6.7.8 51_5.6.7.8" # -or- # Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]" #EXTERN_PROTO0="50 5.6.7.8/32" #EXTERN_PROTO1="51 5.6.7.8/32" ############################################################################### # Internal Interface ############################################################################### # Comment 3 settings below for no internal network (DMZ only configuration) INTERN_IF="eth1" # Internal Interface INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s) INTERN_IP=192.168.1.254 # IP number of Internal Interface # (to allow forwarding to external IP) MASQ_SWITCH=YES # Masquerade internal network to outside # world - YES/NO # These services are not masqueraded from int to ext/DMZ, preventing access # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST="tcp_0/0_ssh" # Override for above...only the listed dest IP's can be accessed # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST_BYPASS="tcp_10.0.0.1_ssh" ############################################################################### # Port Forwarding ############################################################################### # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port> #INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp" # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access # Advanced settings: parameters passed directly to portfw and autofw # Indexed list: "<ipmasqadm portfw options>" #INTERN_SERVER0="-a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF]" #INTERN_SERVER1="" # Indexed list: "<ipmasqadm autofw options>" #INTERN_AUTOFW0="-A -r tcp 20000 20050 -h 192.168.1.1" #INTERN_AUTOFW1="" ############################################################################### # DMZ setup (optional) ############################################################################### # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) DMZ_SWITCH=PRIVATE DMZ_IF="eth2" DMZ_NET=192.168.2.0/24 # DMZ switches for all flavors except PRIVATE ############################################################################### # For NAT DMZ's: # DMZ_NET, above is likely a private IP range...DMZ_SRC should encompass the # public IP range being NAT'd to DMZ_NET. Any systems DMZ_SRC=1.1.1.0/27 # For Proxy-Arp or NAT DMZ's only: # For security, any IP's within the DMZ_NET (PROXY) or DMZ_SRC (NAT) # specification, above, that are NOT remote systems reached via DMZ_IF must # be listed here. This potentially includes IP's of this LRP system, your # gateway, and systems connected to your external interface. DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP" ## Both of the following should be used together - ie if you turn on ## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST! # Allows inbound connections to high tcp ports (>1023) # You can also allow to specific machines using 1024: (or a smaller range) # as the dest port range in DMZ_OPEN_DEST (RECOMMENDED) DMZ_HIGH_TCP_CONNECT=NO ## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100" # Inbound services to allow to the DMZ # <protocol>_<destination IP/network>_<destination port or range> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain tcp_${DMZ_NET}_domain icmp_${DMZ_NET}_: tcp_1.1.2.13_www" # PRIVATE DMZ switches ############################################################################### # Services port-forwarded to the DMZ network # Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]" DMZ_SERVER0="tcp $EXTERN_IP www 192.168.2.1 www" #DMZ_SERVER0="udp $EXTERN_IP domain 192.168.2.1 domain" #DMZ_SERVER1="tcp $EXTERN_IP domain 192.168.2.1 domain" #DMZ_SERVER2="tcp 1.2.3.13 www 192.168.2.1 www" #DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp" #DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080" # Allow all outbound traffic from DMZ (YES) # or just traffic from port-forwarded servers (NO) DMZ_OUTBOUND_ALL=YES ############################################################################### # Interface activation/deactivation functions # Here so that special interface commands can be called and daemons started # # Arps can be set up here, network/host routes and so forth. # # This appears to be a little messy but is needed to achieve maximum # functionality and flexibility. # ############################################################################### echo_rtepfx () { local IFS='_' set -- $1 echo $1 } echo_rteargs () { local IFS='_' set -- $1 shift echo $@ } # Function to add a static NAT translation # $1 = Name of environment variable which contains IP address # $2 = Action (add or del) # $3 = Base priority value # $y = Current walklist index count do_nat () { local PRIORITY=$(($3 + $y )) local ACTION=$2 eval local args=\$$1 set -- $args ip route $ACTION nat $1 via $2 ip rule $ACTION prio $PRIORITY from $2 nat $1 } if_up () { local ADDR # sort out a few things to make life easier - here so that you # can see what is done and so that you can add anything if needed eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius eval local MASKLEN=\${"$1"_MASKLEN:-""} eval local BROADCAST=\${"$1"_BROADCAST:-""} eval local PTPADDR=\${"$1"_PTPADDR:-""} eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""} eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""} eval local ROUTES=\${"$1"_ROUTES:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local TXQLEN=\${"$1"_TXQLEN:-""} eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""} eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""} eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""} eval local BRIDGE=\${"$1"_BRIDGE:-""} eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""} if [ -n "$BROADCAST" ] ; then IFCFG_BROADCAST="broadcast $BROADCAST" fi # Do dee global bridge stuff brg_global # Set default interface flags here - used for PPP and WAN interfaces if_setproc default rp_filter $DEF_IP_SPOOF if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS # Set up each interface case $1 in ppp0) pppd call provider ;; fr*) wanconfig card wanpipe1 dev $1 start ip addr add $IPADDR peer $PTPADDR dev $1 ip link set $1 up # Fair queuing - this can be selected for any interface ip_frQoS $1 ;; nat*) eval local BASE_PRI=\${"$1"_BASE_PRI:-""} walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI ;; *) # default interface startup brg_iface $1 up $BRIDGE [ -n "$IPADDR" ] \ && ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1 for ADDR in $IP_EXTRA_ADDRS; do ip addr add $ADDR dev $1 done ip link set $1 up case "$PROXY_ARP" in YES|Yes|yes) ip route flush dev $1 ;; *) ;; esac # Fair queuing - this can be selected for any interface ip_QoS $1 ;; esac for route in $ROUTES; do ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route` done # Do universal interface config items here # Default route support [ -n "$DEFAULT_GW" ] \ && ip route replace default via $DEFAULT_GW dev $1 # Set the TX Queue Length [ -n "$TXQLEN" ] \ && ip link set $1 txqlen $TXQLEN # Spoof protection if_setproc $1 rp_filter $IP_SPOOF # Kernel logging of martians on this interface if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS # Shared Media stuff if_setproc $1 shared_media $IP_SHARED_MEDIA # Proxy ARP support if_setproc $1 proxy_arp $PROXY_ARP return 0 } if_down () { # Do Dee global bridge stuff brg_global case $1 in ppp*) [ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid` sleep 5 # Wait for pppd to die ;; fr*) qt ip link set $1 down qt ip addr flush dev $1 qt wanconfig card wanpipe1 dev $1 stop ;; nat*) eval local BASE_PRI=\${"$1"_BASE_PRI:-""} walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI ;; *) # default action brg_iface $1 down ip link set $1 down # This also kills any routes qt ip addr flush dev $1 ;; esac # Clean up any QoS/fair queuing stuff ip_QoSclear $1 true } #END if_down ############################################################################### # Hostname Requires: CONFIG_HOSTNAME=YES ############################################################################### HOSTNAME=firewall ############################################################################### # Hosts file (Static domainname entires) Requires: CONFIG_HOSTSFILE=YES ############################################################################### # IP FQDN hostname alias1 alias2.. HOSTS0="$eth1_IPADDR $HOSTNAME.private.network $HOSTNAME fw" #HOSTS1="192.168.1.22 host2.private.network host2 h2" ############################################################################### # Domain Search Order and Name Servers Requires: CONFIG_DNS=YES ############################################################################### DOMAINS="private.network" DNS0=127.0.0.1 DNS0=206.13.28.12 DNS1=206.13.31.12 ############################################################################### # QoS/Fariqueing functions ############################################################################### ip_QoSclear () { [ -x /sbin/tc ] \ && qt tc qdisc del dev $1 root return 0 } ip_frQoS () { # Set some vaiables eval local FAIRQ=\${"$1"_FAIRQ:-""} eval local BULKRATE=\${"$1"_BULKRATE:-""} eval local BULKBURST=\${"$1"_BULKBURST:-""} eval local FRBURST=\${"$1"_FRBURST:-""} eval local HNDL=\${"$1"_HNDL:-""} eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""} eval local IARATE=\${"$1"_IARATE:-""} eval local IABURST=\${"$1"_IABURST:-""} eval local PXMTU=\${"$1"_PXMTU:-""} if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BULKRATE" -o -z "$FRBURST" -o -z "$HNDL" -o -z "$PXMTU" \ -o -z "$BNDWIDTH" -o -z "$IARATE" -o -z "$IABURST" \ -o -z "$BULKBURST" ]; then tc qdisc replace dev $1 root sfq return 0 fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL: cbq \ bandwidth $BNDWIDTH avpkt 1000 # Set up classes # Bulk class tc class add dev $1 parent $HNDL:0 classid :1 \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate $BULKRATE allot $PXMTU bounded weight 1 prio 6 \ avpkt 1000 maxburst $BULKBURST \ split $HNDL:0 defmap ff7f tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15 # Interactive Class tc class add dev $1 parent $HNDL:0 classid :2 \ est 2sec 16sec cbq bandwidth $BNDWIDTH \ rate $IARATE allot $PXMTU bounded weight 1 prio 6 \ avpkt 1000 maxburst $IABURST \ split $HNDL:0 defmap 80 tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15 # Priority class tc class add dev $1 parent $HNDL:0 classid :3 \ est 1sec 8sec cbq bandwidth $BNDWIDTH \ rate $FRBURST allot $PXMTU bounded weight 1 prio 1 \ avpkt 1000 maxburst 21 tc qdisc add dev $1 parent $HNDL:3 pfifo # Add filters tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL:3 tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL:2 return 0 } ip_QoS () { # Set some vaiables eval local HNDL=\${"$1"_HNDL:-""} eval local FAIRQ=\${"$1"_FAIRQ:-""} if [ -z "$FAIRQ" -a -n "$2" ]; then local FAIRQ=$2 fi eval local BNDWIDTH=\${"$1"_BNDWIDTH:-""} if [ -z "$BNDWIDTH" -a -n "$3" ]; then local BNDWIDTH=$3 fi eval local PXMTU=\${"$1"_PXMTU:-""} if [ -z "$PXMTU" -a -n "$4" ]; then local PXMTU=$4 fi eval local IARATE=\${"$1"_IARATE:-""} if [ -z "$IARATE" -a -n "$5" ]; then local IARATE=$5 fi eval local IABURST=\${"$1"_IABURST:-""} if [ -z "$IABURST" -a -n "$6" ]; then local IABURST=$6 fi if [ ! -x /sbin/tc ]; then return 1 fi if [ "$FAIRQ" != "YES" -a "$FAIRQ" != "Yes" -a "$FAIRQ" != "yes" ] then return 1 fi if [ -z "$BNDWIDTH" -o -z "$IABURST" -o -z "$IARATE" -o -z "$HNDL" \ -o -z "$PXMTU" ]; then tc qdisc replace dev $1 root sfq return 0 fi # Attach CBQ to device tc qdisc add dev $1 root handle $HNDL: cbq \ bandwidth $BNDWIDTH \ avpkt 1000 # Set up classes # Bulk class tc class add dev $1 parent $HNDL:0 classid :1 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $BNDWIDTH \ allot $PXMTU avpkt 1000 bounded weight 1 prio 6 \ split $HNDL:0 defmap ff7f tc qdisc add dev $1 parent $HNDL:1 sfq perturb 15 # Interactive class tc class add dev $1 parent $HNDL:0 classid :2 est 2sec 16sec \ cbq bandwidth $BNDWIDTH rate $IARATE maxburst $IABURST \ allot $PXMTU avpkt 1000 bounded isolated weight 1 \ prio 2 split $HNDL:0 defmap 80 tc qdisc add dev $1 parent $HNDL:2 sfq perturb 15 # Priority class tc class add dev $1 parent $HNDL:0 classid :3 est 1sec 8sec \ cbq bandwidth $BNDWIDTH rate $BNDWIDTH \ allot $PXMTU avpkt 1000 bounded weight 1 prio 1 tc qdisc add dev $1 parent $HNDL:3 pfifo # Add filters tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 50 handle $MRK_CRIT fw classid $HNDL:3 tc filter add dev $1 parent $HNDL:0 protocol ip \ priority 60 handle $MRK_IA fw classid $HNDL:2 \ return 0 } ############################################################################### # End ############################################################################### *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* Info For Firewall Trouble *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.254:22 192.168.1.2:49490 ESTABLISHED tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1023 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN udp 0 0 0.0.0.0:53 0.0.0.0:* udp 0 0 0.0.0.0:69 0.0.0.0:* raw 0 0 0.0.0.0:1 0.0.0.0:* 7 raw 0 0 0.0.0.0:6 0.0.0.0:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 1707 /dev/log unix 1 [ ] STREAM CONNECTED 1710 @00000001 unix 1 [ ] STREAM CONNECTED 1740 @00000005 unix 1 [ ] STREAM CONNECTED 1741 /dev/log unix 1 [ ] STREAM CONNECTED 1711 /dev/log *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ipchains -L -n -v Chain input (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 7 363 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0 255.255.255.255 * -> * 15 480 DENY igmp ------ 0xFF 0x00 eth0 64.171.17.145 0.0.0.0/0 n/a 62 3224 DENY udp ------ 0xFF 0x00 eth0 64.171.17.145 0.0.0.0/0 * -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 -> * 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 -> * 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 64.171.17.147 0.0.0.0/0 n/a 0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a 0 0 REJECT all ----l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.1.0/24 n/a 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 20 1560 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> * 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 15 600 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 64.171.17.147 * -> 80 0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 64.171.17.147 * -> 80 15 600 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 113 509 332K ACCEPT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 0 0 REJECT udp ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 161:162 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 53 0 0 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 68 0 0 DENY udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 67 9 2224 ACCEPT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 1024:65535 9 728 ACCEPT icmp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> * 0 0 ACCEPT ospf ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a 122 4920 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/a 0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 * -> 161:162 0 0 REJECT udp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 161:162 -> * 1576 129K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 DENY icmp ----l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 -> * 0 0 MASQ all ------ 0xFF 0x00 eth2 192.168.1.0/24 192.168.2.0/24 n/a 0 0 MASQ all ------ 0xFF 0x00 eth0 192.168.2.0/24 0.0.0.0/0 n/a 0 0 MASQ tcp ------ 0xFF 0x00 eth1 192.168.2.0/24 192.168.1.0/24 80 -> * 492 56976 MASQ all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth2 0.0.0.0/0 192.168.2.0/24 n/a 0 0 DENY all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain output (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 2524 788K fairq all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 172.16.0.0/12 0.0.0.0/0 n/a 57 2991 DENY all ----l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all ----l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all ------ 0xFF 0x00 eth0 192.168.1.0/24 0.0.0.0/0 n/a 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 137 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 135 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138:139 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * -> 138 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:138 -> * 0 0 REJECT udp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 137:139 -> * 0 0 REJECT tcp ------ 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 135 -> * 2467 785K ACCEPT all ------ 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 n/a Chain fairq (1 references): pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports 0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a 0 0 RETURN ospf ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 n/a 0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 520 0 0 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 520 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 179 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 179 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 0 0 RETURN tcp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * 9 602 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 * -> 53 2 264 RETURN udp ------ 0xFF 0x00 * 0x1 0.0.0.0/0 0.0.0.0/0 53 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 23 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 23 -> * 0 0 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 * -> 22 1030 82111 RETURN tcp ------ 0xFF 0x00 * 0x2 0.0.0.0/0 0.0.0.0/0 22 -> * *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* Info For Hardware Problems *#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* free total: used: free: shared: buffers: cached: Mem: 47955968 18612224 29343744 7098368 7356416 4153344 Swap: 0 0 0 MemTotal: 46832 kB MemFree: 28656 kB MemShared: 6932 kB Buffers: 7184 kB Cached: 4056 kB SwapTotal: 0 kB SwapFree: 0 kB *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* df Filesystem 1k-blocks Used Available Use% Mounted on /dev/ram0 12155 5235 6920 43% / /dev/ram1 4049 159 3890 4% /var/log *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* dmesg <snip> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /var/log/syslog <snip> Feb 21 17:58:51 firewall kernel: rtl8139.c:v1.12 9/14/2000 Donald Becker, [EMAIL PROTECTED] Feb 21 17:58:51 firewall kernel: http://www.scyld.com/network/rtl8139.html Feb 21 17:58:51 firewall kernel: eth0: RealTek RTL8139 Fast Ethernet at 0x6000, IRQ 10, 00:50:bf:1c:63:65. Feb 21 17:58:51 firewall kernel: eth1: RealTek RTL8139 Fast Ethernet at 0x6100, IRQ 11, 00:50:bf:1c:4c:3e. Feb 21 17:58:51 firewall kernel: tulip.c:v0.92m 9/22/2000 Written by Donald Becker <[EMAIL PROTECTED]> Feb 21 17:58:51 firewall kernel: http://www.scyld.com/network/tulip.html Feb 21 17:58:51 firewall kernel: eth2: Lite-On PNIC-II rev 37 at 0xc3868000, 00:40:F0:79:9C:94, IRQ 9. <snip> Feb 21 18:16:26 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=7657 F=0x4000 T=254 SYN (#8) Feb 21 18:16:32 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=1938 F=0x4000 T=254 SYN (#8) Feb 21 18:16:43 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49501 192.168.2.1:80 L=48 S=0x00 I=1939 F=0x4000 T=254 SYN (#8) Feb 21 18:16:59 firewall kernel: Packet log: output DENY eth0 PROTO=6 192.168.1.2:49501 192.168.2.1:80 L=65 S=0x00 I=1940 F=0x4000 T=254 (#8) <snip> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /var/log/messages <snip> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /proc/interrupts CPU0 0: 189089 XT-PIC timer 1: 2 XT-PIC keyboard 2: 0 XT-PIC cascade 4: 251 XT-PIC serial 8: 2 XT-PIC rtc 9: 91 XT-PIC eth2 10: 1463 XT-PIC eth0 11: 3477 XT-PIC eth1 13: 1 XT-PIC fpu 14: 553 XT-PIC ide0 15: 16 XT-PIC ide1 NMI: 0 *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* cat /proc/ioports 0000-001f : dma1 0020-003f : pic1 0040-005f : timer 0060-006f : keyboard 0070-007f : rtc 0080-008f : dma page reg 00a0-00bf : pic2 00c0-00df : dma2 00f0-00ff : fpu 0170-0177 : ide1 01f0-01f7 : ide0 02f8-02ff : serial(auto) 0376-0376 : ide1 03d4-03d5 : cga 03e8-03ef : serial(auto) 03f6-03f6 : ide0 03f8-03ff : serial(auto) 3000-3007 : ide0 3008-300f : ide1 6000-607f : eth0 6100-617f : eth1 c3868000-c38680ff : eth2 _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user