[ale] ipfwadm won't forward packets thru firewall rules

Joe Steele joe at madewell.com
Tue Jul 13 20:08:17 EDT 1999


On Mon, 12 Jul 1999, Scott Thomason wrote:

> 
> 
> I hope someone can help me before I go crazy. I'm having trouble getting
> ipfwadm to forward masqueraded packets from our internal network thru the
> firewall input/output rules.
> 
> Specifically, I can use the following mini-firewall to telnet out from the
> firewall machine, but telnet fails to connect from any other machine on our
> network. The packets arrive on eth0 on the firewall machine, but never get
> sent out on ppp0 (as illustrated by the tcpdump output below).
> 
> When I disable firewalling (ipfwadm -I/O -p accept), everything works fine
> from any machine on the network, so I know it's not a
> hardware/wiring/NIC/routing issue.
> 
> Here's the setup:
> 
> My firewall machine is running a more-or-less clean install of RedHat 5.2,
> kernel 2.0.36. I've installed diald 0.16.5 for on-demand dialing for the ppp
> connection to the internet. It also has an ethernet card for connection to
> the internal network. This NIC is eth0 at IP address 192.168.2.1.
> 
> I have another linux machine running as a gateway/server. It uses the same
> RedHat distribution. It runs SAMBA, Sendmail, DHCP, BIND, etc., and is our
> main office server. It has two NICS: one configured as eth0 at IP address
> 192.168.2.2 for connection to the firewall machine, and the other configured
> as eth1 at IP address 192.168.1.1 for connection to the rest of our LAN.
> 
> As you can probably tell, the idea is that the LAN traffic stays on net
> 192.168.1.0/24, and is routed to the firewall machine only when it needs to
> get out to the internet. Network 192.168.2.0/24 consists only of the two
> previously described machines joined by a cross-over cable.
> 
> As a side note: I'd sure like to know why I never see any deny/reject
> messages on the log! Kinda makes debugging hard. . . .
> 
> Thanks in advance,
> ---scott <mailto:scott at 2tp.com>
> Copious debugging output follows. . . .
> 
> 
> 
> <--- Small firewall script invoked from within /etc/ppp/ip-up.local --->
> #!/bin/sh
> ipfwadm -If
> ipfwadm -Of
> ipfwadm -Ff
> ipfwadm -Ip deny
> ipfwadm -Op deny
> ipfwadm -Fp deny
> ipfwadm -Fa masq -S 192.168.0.0/16 -D any/0

I am not familiar with the syntax you are using for the masq rule above. 
Maybe it's o.k., I just haven't seen it quite like that before.  I would
have written it like this: 

ipfwadm -Fma accept -S 192.168.0.0/16


> ipfwadm -Fa reject -o -W eth0
> ipfwadm -Fa reject -o -W ppp0
> ipfwadm -Ia acc -P icmp -S any/0 -D any/0
> ipfwadm -Oa acc -P icmp -S any/0 -D any/0
> ipfwadm -Oa acc -P tcp -S 192.168.0.0/16 1024:65535 -D any/0 23
> ipfwadm -Oa acc -P tcp -S $IPLOCAL 1024:65535 -D any/0 23
> ipfwadm -Ia acc -P tcp -k -S any/0 23 -D 192.168.0.0/16 1024:65535
> ipfwadm -Ia acc -P tcp -k -S any/0 23 -D $IPLOCAL 1024:65535

I believe the -k option on your input rules is a mistake.  Setting this
option would require that the ACK bit of all incoming tcp packets be set. 
When tcp performs its initial three-way handshake, the first packet sent
from the initiating host will not have the ACK bit set.  The -k option
would block this initial packet, thereby preventing the establishment of
any tcp connections. 

As far as your lack of any deny/reject messages in your logs:  you only
have two rules with the -o option set.  Packets which match those rules
are the only ones that will get logged.  The use of the following rules
after all other rules should catch and log all packets which would
otherwise fall through to your default deny policies:

ipfwadm -Ioa deny 
ipfwadm -Ooa deny
ipfwadm -Foa deny

-- Joe Steele






More information about the Ale mailing list