I've been trying to get ip-masq set up for the first time on a little four-machine network, and, to put it bluntly, it's working weirdly. I'm using Linux-2.0.35 (i.e. this is ipfwadm land, not ipchains land). I've got this fairly paranoid, mostly-stolen-from-someone-else firewall config, lightly hacked until it looks about right: (90% sure this will be what is wrong as I'm still not very good at masq and this likely contains errors, probably stupid ones) #!/bin/sh # # /etc/rc.d/rc.firewall, define the firewall configuration, invoked from # rc.local. # PATH=/sbin:/bin:/usr/sbin:/usr/bin # Incoming, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -I -f ipfwadm -I -p deny # local interface, local machines, going anywhere is valid ipfwadm -I -a accept -V 192.168.1.1 -S 192.168.0.0/16 -D 0.0.0.0/0 # remote interface, claiming to be local machines, IP spoofing, get lost ipfwadm -I -a deny -V 194.222.138.8 -S 192.168.0.0/16 -D 0.0.0.0/0 -o # remote interface, any source, going to ext-visible address is valid ipfwadm -I -a accept -V 194.222.138.8 -S 0.0.0.0/0 -D 194.222.138.8/32 # loopback interface is valid. ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # catch all rule, all other incoming is denied and logged. pity there is no # log option on the policy but this does the job instead. ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o # Outgoing, flush and set default policy of deny. Actually the default policy # is irrelevant because there is a catch all rule with deny and log. ipfwadm -O -f ipfwadm -O -p deny # local interface, any source going to local net is valid ipfwadm -O -a accept -V 192.168.1.1 -S 0.0.0.0/0 -D 192.168.0.0/16 # outgoing to local net on remote interface, stuffed routing, deny ipfwadm -O -a deny -V 194.222.138.8 -S 0.0.0.0/0 -D 192.168.0.0/16 -o # outgoing from local net on remote interface, stuffed masquerading, deny ipfwadm -O -a deny -V 194.222.138.8 -S 192.168.0.0/16 -D 0.0.0.0/0 -o # outgoing from local net on remote interface, stuffed masquerading, deny ipfwadm -O -a deny -V 194.222.138.8 -S 0.0.0.0/0 -D 192.168.0.0/16 -o # anything else outgoing on remote interface is valid ipfwadm -O -a accept -V 194.222.138.8 -S 194.222.138.8/32 -D 0.0.0.0/0 # loopback interface is valid. ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0 # catch all rule, all other outgoing is denied and logged. pity there is no # log option on the policy but this does the job instead. ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o # Forwarding, flush and set default policy of deny. Actually the default # policy is irrelevant because there is a catch all rule with deny and log. ipfwadm -F -f ipfwadm -F -p deny # Masquerade from local net on local interface to anywhere. ipfwadm -F -a masquerade -W sl0 -S 192.168.0.0/16 -D 0.0.0.0/0 # catch all rule, all other forwarding is denied and logged. pity there is no # log option on the policy but this does the job instead. ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o I have CONFIG_FIREWALL, CONFIG_INET (of course), CONFIG_IP_FORWARD, CONFIG_SYN_COOKIES, CONFIG_IP_FIREWALL, CONFIG_IP_FIREWALL_VERBOSE, CONFIG_IP_MASQUERADE, CONFIG_IP_MASQUERADE_IPAUTOFW, CONFIG_IP_MASQUERADE_ICMP, CONFIG_IP_ALWAYS_DEFRAG, and CONFIG_IP_NOSR turned on; I do not have CONFIG_IP_ROUTER, CONFIG_IP_MULTICAST or CONFIG_IP_TRANSPARENT_PROXY turned on. (Neither do I have large windows enabled on this 8Mb box, although this makes little difference in late 2.0 kernels in any case). The symptoms are as follows: ICMP masquerading works; i.e. I can ping people outside from inside. But lots of other services spontaneously lock up a very short distance into the chatter; eg I can type about three commands at ftp prompts before data simply ceases to return. I've tried telnetting to a number of places and some work while some do not: telnetting to Brunel University, operating a fairly normal Unix-style telnet scheme on the standard telnet port freezes after about two kilobytes have been transferred (i.e. about during the message of the day); telnetting to immortal.org on port 2000 works OK; telnetting to nngs.cosmic.org on port 9696 locks at the login prompt. Note that in all cases information gets there & back for a while (a good packet or three) before the connection freezes. netstat reveals nothing special. This is zany. Does anyone have any idea what the masqing hell is going on? What have I done wrong? -- `It is inelegant and it was hacked on. But it was hacked on with careful consideration.' - PLA on perl and OO --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
