Help with FreeBSD Bridged Firewall

2003-07-29 Thread William Knechtel 
Hello!

Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged
firewall. I've got a private IP 10.0.0.1 tied to the internal card on the
box for remote management. The firewall blocks any 10.x traffic coming in on
the external card, so to remotely admin it, I have to shell into a machine
on the same isolated network segment that it's on, and then shell over from
that machine.

Today around noon, the machine suddenly stopped responding to pings. I went
down to the server room and couldnt find anything wrong.   No notes on the
console screen, no anomalous entries in the security or message logs. So, in
the interest of getting it back up quickly, I rebooted it. That worked.
About an hour later, the same thing happened... my network monitor tells me
that it's not responding to pings. So before I go down to the server room, I
run a few tests... the firewall is still blocking packets like a champ.  I
run nmap against a host the firewall protects, and everything comes back
fine.  But when I go downstairs to the console, I can't ping out to it's
10.0.0.2 buddy, and no incoming pings work either.  I'm at a loss on how to
troubleshoot this, folks.  I could really use a few ideas, so please send
them along!

Thanks in Advance!
Bill

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Help with FreeBSD Bridged Firewall

2003-07-29 Thread William Knechtel 
Per a list members request, I've attached dumps of the following commands:

arp -a
netstat -m
ipfw show
ifconfig
netstat -s
netstat -i

One caveat, I've hidden all IP addresses that could be used to divine my
netblock...  I guess I'm a little paranoid about people inspecting my
firewall configuration :-)   and  are public (routable) IP
addresses of the two machines I have behind the firewall.

One additional note.  Since I first composed this message early this
afternoon, the responsiveness of the internal NIC on the firewall has
bounced up and down a bit.  Here's a bit of a log of it's activity:

11:57 DOWN
12:06 UP (reboot)
12:26 DOWN
2:18 UP
3:14 DOWN
5:43 UP

The odd thing is that it's been in operating fine for a few months now (it's
a fairly new installation), and the last change I made to the firewalls
config was well over a week ago.

I hope this helps figure out what's going on!!  Thanks in advance for your
help.

Kindest Regards,
Bill

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of William Knechtel
> Sent: Tuesday, July 29, 2003 6:56 PM
> To: [EMAIL PROTECTED]
> Subject: Help with FreeBSD Bridged Firewall
>
>
> Hello!
>
> Help!! I'm running a PC with dual NICs and FreeBSD 4.8 for a bridged
> firewall. I've got a private IP 10.0.0.1 tied to the internal card on the
> box for remote management. The firewall blocks any 10.x traffic
> coming in on
> the external card, so to remotely admin it, I have to shell into a machine
> on the same isolated network segment that it's on, and then shell
> over from
> that machine.
>
> Today around noon, the machine suddenly stopped responding to
> pings. I went
> down to the server room and couldnt find anything wrong.   No notes on the
> console screen, no anomalous entries in the security or message
> logs. So, in
> the interest of getting it back up quickly, I rebooted it. That worked.
> About an hour later, the same thing happened... my network
> monitor tells me
> that it's not responding to pings. So before I go down to the
> server room, I
> run a few tests... the firewall is still blocking packets like a champ.  I
> run nmap against a host the firewall protects, and everything comes back
> fine.  But when I go downstairs to the console, I can't ping out to it's
> 10.0.0.2 buddy, and no incoming pings work either.  I'm at a loss
> on how to
> troubleshoot this, folks.  I could really use a few ideas, so please send
> them along!
>
> Thanks in Advance!
> Bill
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "[EMAIL PROTECTED]"
>
# arp -a
? (10.0.0.1) at 00:01:53:80:e2:40 on dc0 permanent [ethernet]
? (10.0.0.2) at 00:02:b3:a8:3d:2b on dc0 [ethernet]

# netstat -m
129/160/4992 mbufs in use (current/peak/max):
129 mbufs allocated to data
128/136/1248 mbuf clusters in use (current/peak/max)
312 Kbytes allocated to network (8% of mb_map in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

# ipfw show
00100 24  1824 allow udp from 132.239.1.6 123 to  123
00200 23  1748 allow udp from 128.194.254.9 123 to  123
00300 24  1824 allow udp from 192.43.244.18 123 to  123
00400 24  1824 allow udp from 128.138.140.44 123 to  123
00500  0 0 allow udp from 132.239.1.6 123 to  123
00600  0 0 allow udp from 128.194.254.9 123 to  123
00700  0 0 allow udp from 192.43.244.18 123 to  123
00800  0 0 allow udp from 128.138.140.44 123 to  123
00900  0 0 deny ip from 127.0.0.0/8 to any via vr0
01000   131613 deny ip from 10.0.0.0/8 to any via vr0
01100512 65098 deny ip from 192.168.0.0/16 to any via vr0
01200  0 0 deny ip from 172.16.0.0/16 to any via vr0
01300   6363   1136947 allow ip from 10.0.0.0/28 to any via dc0
01400   5952374220 allow ip from any to any via lo*
01500 214096 106791094 allow ip from X.X.211.64/26 to any
01600176 21124 allow ip from X.X.122.180 to any
01700703 33825 allow icmp from any to any
01800898130784 allow ip from X.X.204.192/28 to any
01900  0 0 allow ip from X.X.211.68 to any
02000  51768   7784246 allow ip from any to X.X.255.255
02100  0 0 allow tcp from any to  53
02200  0 0 allow udp from any to  53
02300  11915   2725386 allow tcp from any to  80
02400  0 0 allow udp from any to  80
02500659444559 allow tcp from any to  25
02600  0 0 allow udp from any to  25
02700  0 0 allow tcp from any to  110
02800  0 0 allow udp from any to  110
02900  0 0 allow tcp fr

RE: Help with FreeBSD Bridged Firewall

2003-07-30 Thread William Knechtel 
Yeah, the arp cache is the problem, thanks for nailing that one for me.
However, the ipfw rule you supplied doesn't seem to want to work for
me...  I think for the time being I'll just run a cron job every 15
minutes or so that clears the arp cache completely.  Thanks again for
your help!!  I really appreciate it!

Kindest Regards,
Bill

-Original Message-
From: Don Bowman [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2003 7:33 PM
To: 'William Knechtel'; [EMAIL PROTECTED]
Subject: RE: Help with FreeBSD Bridged Firewall

> From: William Knechtel [mailto:[EMAIL PROTECTED]

I think you need to allow arp through this device, something 
like:
ipfw add 30 allow layer2 mac-type arp
[not sure which rule to insert it at].

I'm guessing your arp cache is timing out.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"