Help with FreeBSD Bridged Firewall
William Knechtel
webmaster at endikos.com
Tue Jul 29 18:24:20 PDT 2003
Per a list members request, I've attached dumps of the following commands:
arp -a
netstat -m
ipfw show
ifconfig
netstat -s
netstat -i
One caveat, I've hidden all IP addresses that could be used to divine my
netblock... I guess I'm a little paranoid about people inspecting my
firewall configuration :-) <MYHOST1> and <MYHOST2> are public (routable) IP
addresses of the two machines I have behind the firewall.
One additional note. Since I first composed this message early this
afternoon, the responsiveness of the internal NIC on the firewall has
bounced up and down a bit. Here's a bit of a log of it's activity:
11:57 DOWN
12:06 UP (reboot)
12:26 DOWN
2:18 UP
3:14 DOWN
5:43 UP
The odd thing is that it's been in operating fine for a few months now (it's
a fairly new installation), and the last change I made to the firewalls
config was well over a week ago.
I hope this helps figure out what's going on!! Thanks in advance for your
help.
Kindest Regards,
Bill
> -----Original Message-----
> From: owner-freebsd-net at freebsd.org
> [mailto:owner-freebsd-net at freebsd.org]On Behalf Of William Knechtel
> Sent: Tuesday, July 29, 2003 6:56 PM
> To: freebsd-net at freebsd.org
> Subject: Help with FreeBSD Bridged Firewall
>
>
> Hello!
>
> Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged
> firewall. I've got a private IP 10.0.0.1 tied to the internal card on the
> box for remote management. The firewall blocks any 10.x traffic
> coming in on
> the external card, so to remotely admin it, I have to shell into a machine
> on the same isolated network segment that it's on, and then shell
> over from
> that machine.
>
> Today around noon, the machine suddenly stopped responding to
> pings. I went
> down to the server room and couldnt find anything wrong. No notes on the
> console screen, no anomalous entries in the security or message
> logs. So, in
> the interest of getting it back up quickly, I rebooted it. That worked.
> About an hour later, the same thing happened... my network
> monitor tells me
> that it's not responding to pings. So before I go down to the
> server room, I
> run a few tests... the firewall is still blocking packets like a champ. I
> run nmap against a host the firewall protects, and everything comes back
> fine. But when I go downstairs to the console, I can't ping out to it's
> 10.0.0.2 buddy, and no incoming pings work either. I'm at a loss
> on how to
> troubleshoot this, folks. I could really use a few ideas, so please send
> them along!
>
> Thanks in Advance!
> Bill
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
-------------- next part --------------
# arp -a
? (10.0.0.1) at 00:01:53:80:e2:40 on dc0 permanent [ethernet]
? (10.0.0.2) at 00:02:b3:a8:3d:2b on dc0 [ethernet]
# netstat -m
129/160/4992 mbufs in use (current/peak/max):
129 mbufs allocated to data
128/136/1248 mbuf clusters in use (current/peak/max)
312 Kbytes allocated to network (8% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
# ipfw show
00100 24 1824 allow udp from 132.239.1.6 123 to <MYHOST1> 123
00200 23 1748 allow udp from 128.194.254.9 123 to <MYHOST1> 123
00300 24 1824 allow udp from 192.43.244.18 123 to <MYHOST1> 123
00400 24 1824 allow udp from 128.138.140.44 123 to <MYHOST1> 123
00500 0 0 allow udp from 132.239.1.6 123 to <MYHOST2> 123
00600 0 0 allow udp from 128.194.254.9 123 to <MYHOST2> 123
00700 0 0 allow udp from 192.43.244.18 123 to <MYHOST2> 123
00800 0 0 allow udp from 128.138.140.44 123 to <MYHOST2> 123
00900 0 0 deny ip from 127.0.0.0/8 to any via vr0
01000 1316 132222 deny ip from 10.0.0.0/8 to any via vr0
01100 512 65098 deny ip from 192.168.0.0/16 to any via vr0
01200 0 0 deny ip from 172.16.0.0/16 to any via vr0
01300 6363 1136947 allow ip from 10.0.0.0/28 to any via dc0
01400 5952 374220 allow ip from any to any via lo*
01500 214096 106791094 allow ip from X.X.211.64/26 to any
01600 176 21124 allow ip from X.X.122.180 to any
01700 703 33825 allow icmp from any to any
01800 898 130784 allow ip from X.X.204.192/28 to any
01900 0 0 allow ip from X.X.211.68 to any
02000 51768 7784246 allow ip from any to X.X.255.255
02100 0 0 allow tcp from any to <MYHOST1> 53
02200 0 0 allow udp from any to <MYHOST1> 53
02300 11915 2725386 allow tcp from any to <MYHOST1> 80
02400 0 0 allow udp from any to <MYHOST1> 80
02500 659 444559 allow tcp from any to <MYHOST1> 25
02600 0 0 allow udp from any to <MYHOST1> 25
02700 0 0 allow tcp from any to <MYHOST1> 110
02800 0 0 allow udp from any to <MYHOST1> 110
02900 0 0 allow tcp from any to <MYHOST1> 143
03000 0 0 allow udp from any to <MYHOST1> 143
03100 0 0 deny tcp from any to <MYHOST1> 3306
03200 0 0 deny udp from any to <MYHOST1> 3306
03300 0 0 deny tcp from any to <MYHOST1> 6101
03400 0 0 deny tcp from any to <MYHOST1> 8192
03500 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 53
03600 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 88
03700 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 135
03800 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 137
03900 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 138
04000 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 139
04100 0 0 allow udp from X.X.211.64/26 to <MYHOST2> 389
04200 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 445
04300 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 464
04400 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 636
04500 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 3268
04600 0 0 allow tcp from X.X.211.64/26 to <MYHOST2> 3269
04700 168 13430 allow tcp from X.X.33.84 to <MYHOST2> 389
04800 0 0 allow udp from X.X.33.84 to <MYHOST2> 389
04900 8 643 allow tcp from X.X.33.75 to <MYHOST2> 389
05000 0 0 allow udp from X.X.33.75 to <MYHOST2> 389
05100 0 0 allow ip from X.X.15.22 to <MYHOST2>
05200 0 0 allow ip from X.X.15.41 to <MYHOST2>
05300 0 0 allow ip from X.X.15.25 to <MYHOST2>
05400 0 0 allow tcp from X.X.15.15 to <MYHOST2> 53
05500 0 0 allow tcp from X.X.15.16 to <MYHOST2> 53
05600 7565 303432 deny tcp from any to X.X.211.64/26 setup
05700 227 18147 allow tcp from any to X.X.211.64/26 1024-65535
05800 364 89403 allow udp from any to X.X.211.64/26 1024-65535
05900 24660 2746580 deny log ip from any to any
65535 17 997 deny ip from any to any
# ifconfig
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
ether 00:01:53:80:e2:40
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 00:e0:4c:9c:83:1a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
tcp:
1632 packets sent
482 data packets (396644 bytes)
12 data packets (12480 bytes) retransmitted
0 resends initiated by MTU discovery
760 ack-only packets (3 delayed)
0 URG only packets
0 window probe packets
0 window update packets
378 control packets
2001 packets received
838 acks (for 396325 bytes)
2 duplicate acks
0 acks for unsent data
824 packets (388527 bytes) received in-sequence
0 completely duplicate packets (0 bytes)
0 old duplicate packets
0 packets with some dup. data (0 bytes duped)
0 out-of-order packets (0 bytes)
0 packets (0 bytes) of data after window
0 window probes
367 window update packets
0 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
4 connection requests
371 connection accepts
0 bad connection attempts
0 listen queue overflows
373 connections established (including accepts)
374 connections closed (including 2 drops)
0 connections updated cached RTT on close
0 connections updated cached RTT variance on close
0 connections updated cached ssthresh on close
2 embryonic connections dropped
838 segments updated rtt (of 472 attempts)
24 retransmit timeouts
2 connections dropped by rexmit timeout
0 persist timeouts
0 connections dropped by persist timeout
0 keepalive timeouts
0 keepalive probes sent
0 connections dropped by keepalive
22 correct ACK header predictions
412 correct data packet header predictions
371 syncache entries added
0 retransmitted
0 dupsyn
0 dropped
371 completed
0 bucket overflow
0 cache overflow
0 reset
0 stale
0 aborted
0 badack
0 unreach
0 zone failures
0 cookies sent
0 cookies received
udp:
1504 datagrams received
0 with incomplete header
0 with bad data length field
0 with bad checksum
0 with no checksum
1502 dropped due to no socket
2 broadcast/multicast datagrams dropped due to no socket
0 dropped due to full socket buffers
0 not for hashed pcb
0 delivered
1503 datagrams output
ip:
44537 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size < data length
0 with ip length > max ip packet size
0 with header length < data size
0 with data length < header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (dup or out of space)
0 fragments dropped after timeout
0 packets reassembled ok
3743 packets for this host
1503 packets for unknown/unsupported protocol
0 packets forwarded (0 packets fast forwarded)
26203 packets not forwardable
35 packets received for unknown multicast group
0 redirects sent
4891 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 tunneling packets that can't find gif
0 datagrams with bad address in header
icmp:
1502 calls to icmp_error
0 errors not generated 'cuz old message was icmp
Output histogram:
echo reply: 231
destination unreachable: 1502
0 messages with bad code fields
0 messages < minimum length
0 bad checksums
0 messages with bad length
1 multicast echo requests ignored
0 multicast timestamp requests ignored
Input histogram:
echo reply: 4
destination unreachable: 1502
echo: 232
231 message responses generated
0 invalid return addresses
0 no return routes
ICMP address mask responses are disabled
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent
-- Bridging statistics (bdg) --
Name In Out Forward Drop Bcast Mcast Local Unknown
dc0:1 155257 296115 136083 0 345 15217 2203 1409
vr0:1 315444 153056 114414 0 179526 19433 0 2071
# netstat -i
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
dc0 1500 <Link#1> 00:01:53:80:e2:40 155605 0 297006 0 0
dc0 1500 10/24 10.0.0.1 5273 - 4916 - -
vr0 1500 <Link#2> 00:e0:4c:9c:83:1a 316350 0 153370 0 0
lp0* 1500 <Link#3> 0 0 0 0 0
lo0 16384 <Link#4> 3104 0 3104 0 0
lo0 16384 your-net localhost 48 - 48 - -
ppp0* 1500 <Link#5> 0 0 0 0 0
sl0* 552 <Link#6> 0 0 0 0 0
faith 1500 <Link#7> 0 0 0 0 0
More information about the freebsd-net
mailing list