ipfilter to route out by udp source addr and port
This is a discussion on ipfilter to route out by udp source addr and port within the IPFilter forums, part of the System Security and Security Related category; This message is in MIME format. Since your mail reader does not understand this format, some or all of this ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-25-2005
|
|||
|
|||
ipfilter to route out by udp source addr and port
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible. ------_=_NextPart_001_01C5915E.7E9E3CE0 Content-Type: text/plain; charset="iso-8859-1" I'm trying to use ipfilter to route messages based on the source tcp/ip address and source port. I have a sip proxy server listening in a specific interface (ce1), and want to route all sip traffic back out that specific interface (ce1). My default route is on a different interface (eri0), and I do not want to change this. All of my sip traffic arrives on the correct interface, but routes out based on my routing table (below) and not by my ipfilter rules. pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state Here's my modlist for interface ce1 dev01:root:/etc/rc2.d/> ifconfig ce1 modlist 0 arp 1 ip 2 pfil 3 ce Here's my net config dev01:root:/etc/rc2.d/> ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 5 inet 127.0.0.1 netmask ff000000 ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6 inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255 ether 0:3:ba:85:37:9 ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7 <=== sip proxy inet 172.16.16.50 netmask fffffc00 broadcast 172.16.255.255 ether 0:3:ba:85:37:a eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8 <=== admin interface inet 10.50.20.98 netmask fffffe00 broadcast 10.50.21.255 ether 0:3:ba:13:31:d7 eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 9 inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255 ether 0:3:ba:13:31:d8 My routing table dev01:root:/etc/rc2.d/> netstat -nr Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------ --------- 192.168.1.0 192.168.1.1 U 1 3010 ce0 192.168.2.0 192.168.2.1 U 1 5605 eri1 10.50.20.0 10.50.20.98 U 1 12734 eri0 172.16.16.0 172.16.16.50 U 1 75 ce1 224.0.0.0 10.50.20.98 U 1 0 eri0 default 10.50.20.1 UG 1 6534 127.0.0.1 127.0.0.1 UH 173968330 lo0 Here's my ipf rule dev01:root:/etc/rc2.d/> ipfstat -on @1 pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state Here's my ipfstat dev01:root:/etc/rc2.d/> ipfstat bad packets: in 0 out 0 IPv6 packets: in 0 out 0 input packets: blocked 0 passed 634116 nomatch 393476 counted 0 short 0 output packets: blocked 0 passed 629220 nomatch 377366 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 0 lost 0 not fragmented 0 fragment state(out): kept 0 lost 0 not fragmented 0 packet state(in): kept 0 lost 0 packet state(out): kept 0 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 240640 (out): 251854 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 1072 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 IPF Ticks: 19866 Packet log flags set: (0) none NOTE: This message, including any attachments, may include privileged, confidential and/or inside information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. ------_=_NextPart_001_01C5915E.7E9E3CE0 Content-Type: text/html; charset="iso-8859-1" <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1505" name=GENERATOR></HEAD> <BODY> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005>I'm trying to use ipfilter to route messages based on the source tcp/ip address and source port. I have a sip proxy server listening in a specific interface (ce1), and want to route all sip traffic back out that specific interface (ce1). My default route is on a different interface (eri0), and I do not want to change this.</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005>All of my sip traffic arrives on the correct interface, but routes out based on my routing table (below) and not by my ipfilter rules.</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>Here's my modlist for interface ce1</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>dev01:root:/etc/rc2.d/> ifconfig ce1 modlist<BR>0 arp<BR>1 ip<BR>2 pfil<BR>3 ce<BR></SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005>Here's my net config</SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>dev01:root:/etc/rc2.d/> ifconfig -a<BR>lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv 4> mtu 8232 index 5<BR> inet 127.0.0.1 netmask ff000000 <BR>ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IP v4> mtu 1500 index 6<BR> inet 192.168.1.1 netmask ffffff00 broadcast 192.168.1.255<BR> &nb sp; ether 0:3:ba:85:37:9 <BR>ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IP v4> mtu 1500 index 7 <=== sip proxy<BR>   ; inet 172.16.16.50 netmask fffffc00 broadcast 172.16.255.255<BR> &n bsp; ether 0:3:ba:85:37:a <BR>eri0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IP v4> mtu 1500 index 8 <=== admin interface<BR> &n bsp; inet 10.50.20.98 netmask fffffe00 broadcast 10.50.21.255<BR> &nbs p; ether 0:3:ba:13:31:d7 <BR>eri1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IP v4> mtu 1500 index 9<BR> inet 192.168.2.1 netmask ffffff00 broadcast 192.168.2.255<BR> &nb sp; ether 0:3:ba:13:31:d8 <BR></SPAN></FONT></DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005>My routing table</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>dev01:root:/etc/rc2.d/> netstat -nr</SPAN></FONT></DIV> <DIV><FONT face="Courier New"></FONT> </DIV> <DIV><FONT size=2><SPAN class=178340321-25072005><FONT face="Courier New">Routing Table: IPv4<BR> Destination &nb sp; Gateway & nbsp; Flags Ref Use Interface<BR>-------------------- -------------------- ----- ----- ------ ---------<BR>192.168.1.0   ; 192.168.1.1 &nb sp; U 1 3010 ce0<BR>192.168.2.0 &n bsp; 192.168.2.1 &nb sp; U 1 5605 eri1<BR>10.50.20.0 &n bsp; 10.50.20.98 &nb sp; U 1 12734 eri0<BR>172.16.16.0 & nbsp; 172.16.16.50 &n bsp; U 1 75 ce1<BR>224.0.0.0 &nbs p; 10.50.20.98 &nb sp; U 1 0 eri0<BR>default   ; 10.50.20.1 &nbs p; UG 1 6534 <BR>127.0.0.1 & nbsp; 127.0.0.1   ; UH 173968330 lo0</FONT></DIV></SPAN></FONT> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face=Arial size=2><SPAN class=178340321-25072005>Here's my ipf rule </SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>dev01:root:/etc/rc2.d/> ipfstat -on<BR>@1 pass out quick on ce1 proto udp from 172.16.16.50/32 port 5060 >< 5061 to any keep state</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>Here's my ipfstat</SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005></SPAN></FONT> </DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005>dev01:root:/etc/rc2.d/> ipfstat<BR>bad packets: in 0 out 0<BR> IPv6 packets: in 0 out 0<BR> input packets: blocked 0 passed 634116 nomatch 393476 counted 0 short 0<BR>output packets: blocked 0 passed 629220 nomatch 377366 counted 0 short 0<BR> input packets logged: blocked 0 passed 0<BR>output packets logged: blocked 0 passed 0<BR> packets logged: input 0 output 0<BR> log failures:   ; input 0 output 0<BR>fragment state(in): kept 0 lost 0 not fragmented 0<BR>fragment state(out): kept 0 lost 0 not fragmented 0<BR>packet state(in): kept 0 lost 0<BR>packet state(out): kept 0 lost 0<BR>ICMP replies: 0 TCP RSTs sent: 0<BR>Invalid source(in): 0<BR>Result cache hits(in): 240640 (out): 251854<BR>IN Pullups succeeded: 0 failed: 0<BR>OUT Pullups succeeded: 1072 failed: 0<BR>Fastroute successes: 0 failures: 0<BR>TCP cksum fails(in): 0 (out): 0<BR>IPF Ticks: 19866<BR>Packet log flags set: (0)<BR> none<BR></SPAN></FONT></DIV> <DIV><FONT face="Courier New" size=2><SPAN class=178340321-25072005> </SPAN></FONT></DIV></BODY></HTML> <BR> <BR> <BR> <BR> <P><FONT SIZE=2 FACE="Arial">NOTE: This message, including any attachments, may include privileged, confidential and/or inside information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</FONT></P> ------_=_NextPart_001_01C5915E.7E9E3CE0-- 
|
Linear Mode
