[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: A really really weird problem...
From:       Jim Sandoz <sandoz () lucent ! com>
Date:       2004-09-10 14:12:50
Message-ID: 4141B662.8080601 () lucent ! com
[Download RAW message or body]


marco,

could you try a couple of things, so we can get to the bottom of this?

1) post output of
$ netstat -s -P ip
as i would like to see if there are any checksum errs or other maladies.

2) post output of
$ ipnat -slv
as i would like to see if nat translations are even getting done.

3) post output of
$ ipfstat
as i would like to see ipf's packet counters.

4) post putput of
$ netstat -rn
as i would like to see the routing table.

5a) post a snoop clippet showing an outgoing ICMP packet;
      what are the source & destination addresses?
5b) post a snoop clippet showing an outgoing UDP packet;
      what are the source & destination addresses?
5c) post a snoop clippet showing an outgoing TCP packet;
      what are the source & destination addresses?

6) in /etc/opt/ipf/ipnat.conf, change all three lines to reflect
the real external ip, e.g.:
map elxl0 192.168.200.0/24 -> your.ext.ip.here/32 portmap tcp/udp auto

7) in /etc/opt/ipf/ipnat.conf, change the second line to specify
a port range:
map elxl0 192.168.200.0/24 -> your.ext.ip.here/32 portmap tcp/udp 
10000:24000


ps: the first four are right out of the FAQ page i sent previously.

jim



Marco Greene (Home) wrote:
> Thanks Jim for pointing out the error of my ways...I was a bit on the tired
> side when I wrote the email and I thought I had been more forthcomming with
> the info.  Obviously I was really tired because I can't believe how little I
> actually sent.
> 
> Anyways here is a second shot.
> 
> 
> System info: 
> Solaris 8 for intel (SunOS archer 5.8 Generic_117351-04 i86pc i386 i86pc)
> IP Filter 4.1.3
> PFIL 2.1.1
>  
> All compiled with gcc 3.4.1
> 
> Everything compiled fine with no errors once I figured out the addition of
> pfil since the last time I ran this on Solaris.  Pfil is setup correctly (at
> least it looks it according to the readme)
> 
> # strconf < /dev/elxl
> pfil
> elxl
> # ifconfig elxl0 modlist
> 0 arp
> 1 ip
> 2 pfil
> 3 elxl
> # ifconfig elxl1 modlist
> 0 arp
> 1 ip
> 2 pfil
> 3 elxl
> 
> elxl0 is external
> elxl1 is internal
> 
> My ipnat.conf file:
> map elxl0 192.168.200.0/24 -> 0/32 proxy port ftp ftp/tcp
> map elxl0 192.168.200.0/24 -> 0/32 portmap tcp/udp auto
> map elxl0 192.168.200.0/24 -> 0/32
> 
> My internal subnet is 192.168.200.0/24
> 
> Now for the problem:
> --------------------
> -I can seem to ping everything OK from inside the firewall.
> -I can't seem to do anything else.  snoop reveals packets going out but
> nothing coming back.  To me that looks like a NAT issue, but this is always
> the way I have set it up in the past.
> -I even tried changing the firewall rule set to allow ALL...no difference
> -From the firewall itself everything works fine...at least what I expect
> according to my rules.
> -I have double checked ip_forwarding is turned on (1).
> -I used to run FreeBSD 4.9 on this same system and used the same ruleset
> (obviously interface names changed).  The reason I am moving away from
> FreeBSD is two fold:  1)  I REALLY don't like the patching mechanism and 2)
> another program I want to run along side the firewall works much better on
> Solaris.  This package is not installed yet as I want to get the IPFilter
> portion working first.
> 
> Any ideas?
> TIA,
> Marco
[prev in list] [next in list] [prev in thread] [next in thread]