Re: ipfilter nat failure
This is a discussion on Re: ipfilter nat failure within the IPFilter forums, part of the System Security and Security Related category; I tried removing ipfilter and installing the precompiled binary, which is where I am now. I am using version 3....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-28-2005
|
|||
|
|||
Re: ipfilter nat failure
I tried removing ipfilter and installing the precompiled binary,
which is where I am now. I am using version 3.4.32 This one ios wierder. It nat's but only certain web sites get through. google.ca comes through but yahoo.com does not. What seems a bit interesting is that the sights that seem to get through are ones that were previously visited by a browser directly on the sun server through a sunray. In other words if I use a browser on the sun and get to a web site, I seems that I can get to that site from a PC routed through the sun. I'll have to test that when I go out there tomorrow. On ipfilter 4.1.9 no packets dropped but it wouldn't nat at all. Also at another location I installed ipfilter 3.4.32 from package the same way I did here and it works fine. What do you think? root@burlsun # uname -a SunOS burlsun 5.9 Generic_117171-07 sun4u sparc SUNW,Sun-Fire-V210 root@burlsun # isainfo -vk 64-bit sparcv9 kernel modules Below bge0 is local net bge1 is the interface for the internet bge3 is the interface for a sunray net. sppp0 is the internet virtual interface connected over bge1 root@burlsun # ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 4 inet 127.0.0.1 netmask ff000000 bge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5 inet 10.0.1.1 netmask ffffff00 broadcast 10.0.1.255 ether 0:3:ba:c9:89:b9 bge1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 6 inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255 ether 0:3:ba:c9:89:ba bge3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7 inet 192.168.128.1 netmask ffffff00 broadcast 192.168.128.255 ether 0:3:ba:c9:89:bc sppp0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICA ST,IPv4> mtu 1492 index 9 inet 69.158.81.212 --> 64.230.197.205 netmask ff000000 ether 0:0:0:0:0:0 root@burlsun # netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------ --------- 64.230.197.205 69.158.81.212 UH 1 3 sppp0 192.168.128.0 192.168.128.1 U 1 21 bge3 10.0.1.0 10.0.1.1 U 1 8 bge0 224.0.0.0 10.0.1.1 U 1 0 bge0 default 64.230.197.205 UG 1 4 127.0.0.1 127.0.0.1 UH 34 81564 lo0 root@burlsun # netstat -s -P ip IPv4 ipForwarding = 1 ipDefaultTTL = 255 ipInReceives = 75564 ipInHdrErrors = 0 ipInAddrErrors = 0 ipInCksumErrs = 0 ipForwDatagrams = 809 ipForwProhibits = 0 ipInUnknownProtos = 29 ipInDiscards = 0 ipInDelivers =165647 ipOutRequests = 60972 ipOutDiscards = 0 ipOutNoRoutes = 39 ipReasmTimeout = 60 ipReasmReqds = 0 ipReasmOKs = 0 ipReasmFails = 0 ipReasmDuplicates = 0 ipReasmPartDups = 0 ipFragOKs = 0 ipFragFails = 0 ipFragCreates = 0 ipRoutingDiscards = 0 tcpInErrs = 0 udpNoPorts = 30 udpInCksumErrs = 0 udpInOverflows = 0 rawipInOverflows = 0 ipsecInSucceeded = 87889 ipsecInFailed = 0 ipInIPv6 = 0 ipOutIPv6 = 0 ipOutSwitchIPv6 = 38 root@burlsun # ipf -V ipf: IP Filter: v3.4.32 (496) Kernel: IP Filter: v3.4.32 Running: yes Log Flags: 0 = none set Default: pass all, Logging: available Active list: 1 root@burlsun # ipfstat dropped packets: in 0 out 0 non-data packets: in 7 out 2 no-data packets: in 0 out 0 non-ip packets: in 0 out 0 bad packets: in 0 out 0 copied messages: in 5 out 3548 IPv6 packets: in 0 out 0 input packets: blocked 1273 passed 67325 nomatch 0 counted 0 short 0 output packets: blocked 0 passed 52237 nomatch 0 counted 0 short 0 input packets logged: blocked 0 passed 0 output packets logged: blocked 0 passed 0 packets logged: input 0 output 0 log failures: input 0 output 0 fragment state(in): kept 2 lost 0 fragment state(out): kept 2 lost 0 packet state(in): kept 3 lost 0 packet state(out): kept 28 lost 0 ICMP replies: 0 TCP RSTs sent: 0 Invalid source(in): 0 Result cache hits(in): 52757 (out): 32191 IN Pullups succeeded: 0 failed: 0 OUT Pullups succeeded: 16 failed: 0 Fastroute successes: 0 failures: 0 TCP cksum fails(in): 0 (out): 0 Packet log flags set: (0) none root@burlsun # ipfstat -io pass out quick on lo0 from any to any pass out quick on bge0 from any to any pass out quick on bge1 from any to any pass out quick on bge3 from any to any block out from any to any pass out quick on sppp0 proto tcp from any to any keep state keep frags pass out quick on sppp0 proto udp from any to any keep state keep frags pass out quick on sppp0 proto icmp from any to any keep state pass in quick on lo0 from any to any pass in quick on bge0 from any to any pass in quick on bge1 from any to any pass in quick on bge3 from any to any block in from any to any pass in quick on sppp0 proto tcp from any to any port = 22 flags S/ FSRPAU keep state pass in quick on sppp0 proto tcp from any to any port = 21 flags S/ FSRPAU keep state pass in quick on sppp0 proto tcp from any to any port = 23 flags S/ FSRPAU keep state root@burlsun # ipnat -slv mapped in 441 out 317 added 16 expired 16 no memory 0 bad nat 0 inuse 0 rules 3 wilds 0 table ffffffff7ffffb30 list 30000060548 List of active MAP/Redirect filters: map sppp0 10.0.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp map sppp0 10.0.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map sppp0 10.0.1.0/24 -> 0.0.0.0/32 List of active sessions: List of active host mappings: root@burlsun # root@burlsun # cat /etc/opt/ipf/ipf.conf ## ipf.conf - config file for ipfilter ## ## This is a very simple set of rulesets for a single machine's ## firewall. It will only drop packets, not actively respond to ## probes. Uncomment out the services you wish to use. ## ## Last revised 15 Feb 2002 - m-woo ## ## pass all local traffic pass in quick on lo0 all pass out quick on lo0 all pass in quick on bge0 all pass out quick on bge0 all pass in quick on bge1 all pass out quick on bge1 all pass in quick on bge3 all pass out quick on bge3 all ## ## block inbound traffic from a particular IP on a particular port #block in quick on sppp0 from <IP #> to any port = <port #> ## ## block all inbound/outbound traffic that doesn't comply with rules below ## the first rule logs to the daemon.notice syslog event level #block in log level daemon.notice all block in all block out all ## ## pass all inbound tcp, udp, icmp traffic from x.x.x.x with state ## substitute host address for x.x.x.x #pass in quick on sppp0 proto tcp from x.x.x.x to any keep state #pass in quick on sppp0 proto udp from x.x.x.x to any keep state #pass in quick on sppp0 proto icmp from x.x.x.x to any keep state ## ## pass inbound echo request #pass in quick on sppp0 proto icmp from any to any icmp-type 8 ## ## pass inbound identd requests #pass in quick on sppp0 proto tcp from any to any port = 113 flags S keep state ## ## pass inbound smtp #pass in quick on sppp0 proto tcp from any to any port = 25 flags S keep state ## ## pass inbound ssh pass in quick on sppp0 proto tcp from any to any port = 22 flags S keep state ## ## pass inbound http and https #pass in quick on sppp0 proto tcp from any to any port = 80 flags S keep state #pass in quick on sppp0 proto tcp from any to any port = 443 flags S keep state ## ## pass inbound active ftp pass in quick on sppp0 proto tcp from any to any port = 21 flags S keep state ## ## pass inbound passive ftp using unprivileged ports in range 15000-16000 only ## this requires that the ftp daemon be configured to use that range only #pass in quick proto tcp from any to any port 15000 >< 16000 flags S keep state ## ## pass inbound telnet pass in quick on sppp0 proto tcp from any to any port = 23 flags S keep state ## ## pass inbound NFS requests ## you will have to determine how to allow connection to mountd #pass in quick on sppp0 proto tcp from any to any port = 2049 flags S keep state #pass in quick on sppp0 proto udp from any to any port = 2049 keep state ## ## pass inbound lpd requests #pass in quick on sppp0 proto tcp from any to any port = 515 flags S keep state ## ## pass all outbound tcp, udp, icmp traffic with state pass out quick on sppp0 proto tcp from any to any keep state keep frags pass out quick on sppp0 proto udp from any to any keep state keep frags pass out quick on sppp0 proto icmp from any to any keep state ## ## end of ipfilter ruleset root@burlsun # ^[[A^[[B ^[[A^[[B: not found root@burlsun # bash root@burlsun # cat /etc/opt/ipf/ipnat.conf # minimal ipnat rule for allowing active ftp client # #map sppp0 0/0 -> 0/32 proxy port 21 ftp/tcp map sppp0 10.0.1.0/24 -> 0/32 proxy port 21 ftp/tcp map sppp0 10.0.1.0/24 -> 0/32 portmap tcp/udp auto map sppp0 10.0.1.0/24 -> 0/32 root@burlsun # On 26-Oct-05, at 3:23 AM, Phil Dibowitz wrote: > Murray Thomson wrote: > >> I am using a sun v210 with the pre-compiled binary of ipfilter for >> Solaris 9 - v 3.4.32-Sol9 >> >> >> When I set it up the NAT worked OK. Some complaints about it being >> slow. So I upgraded it to 4.1.9 and it won't nat. The packets go >> out to >> the internet untranslated. >> >> It is going out over a ppp interface exactly like before. I ran into >> this with Sunscreen where it failed to translate over virtual (pppoe) >> interfaces. >> >> Is there a known problem with newer version if ipfilter or is there a >> different way to make the configuration files that I am not aware of? >> > > Please at least post your ruleset for both ipnat and ipf... or > alternatively see: > > http://www.phildev.net/ipf/IPFmail.html#mail3 > > Which should give you a list of things to post to make it easier > for us > to diagnose your issue. > > -- > Phil Dibowitz phil@ipom.com > Freeware and Technical Pages Insanity Palace of Metallica > http://www.phildev.net/ http://www.ipom.com/ > > "Be who you are and say what you feel, because those who mind don't > matter and those who matter don't mind." > - Dr. Suess > > 
|
Linear Mode
