SEO

I've been running an OpenBSD firewall for a couple of years now. I don't
always run the latest OS version, I'm running v3.2. I'm hosting servers for
several domains behind the firewall, and had no trouble setting up unique IP
addresses and managing ports for the first 5 servers/domains I configured,
so I began to think I knew what I was doing. However, I recently tried to
add two more servers/domains, and I can't seem to get through the firewall
to them. For example, I can telnet to port 25 from the firewall machine to
the private network address of these machines, and I get a response from the
mail servers, but if I try from outside the firewall I get no response. I
configured pf.conf by cutting, pasting, and editing. Sections for the new
domains/servers look like the sections for the functioning domains/servers.
Obviously, I need some help, and will need to provide more detailed
information. What should I do to get help from this NG??

--

"Baby, you're not with me, and I did not want to be mean,
but do they call it envy if an avacado's green?"
Johnny Winter

Dan Bent wrote:

> I've been running an OpenBSD firewall for a couple of years now. I
> don't always run the latest OS version, I'm running v3.2. I'm hosting
> servers for several domains behind the firewall, and had no trouble
> setting up unique IP addresses and managing ports for the first 5
> servers/domains I configured, so I began to think I knew what I was
> doing. However, I recently tried to add two more servers/domains, and
> I can't seem to get through the firewall to them. For example, I can
> telnet to port 25 from the firewall machine to the private network
> address of these machines, and I get a response from the mail servers,
> but if I try from outside the firewall I get no response. I configured
> pf.conf by cutting, pasting, and editing. Sections for the new
> domains/servers look like the sections for the functioning
> domains/servers. Obviously, I need some help, and will need to provide
> more detailed information. What should I do to get help from this NG??
>

Posting reelvant information in this NG will generally generate help.

Did you reload the ruleset? pfctl -f /etc/pf.conf. What does tcpdump
-nettti pflog0 say when you try to access from the outside, beware you
must log.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Thanks for the helpful response.

Here's what I get with tcpdump, when I try an address in my IP block that I
expect should be blocked:
Nov 02 09:56:36.834464 rule 3/0(match): block in on rl0: 68.58.115.214.3917
> 64.72.133.30.25: S 2523218479:2523218479(0) win 16384 <mss
1460,nop,nop,sackOK> (DF)

This shows that pf is working and logging.

When I try an address that I expect will work, tcpdump has no output,
suggesting that the packets pass the filter, as I would expect. So, perhaps
the problem is elsewhere. What else might I check on?


"erik" <erik@geenspam.vanwesten.net> wrote in message
news:3fa51356$0$58711$e4fe514c@news.xs4all.nl...
> Dan Bent wrote:
>
> > I've been running an OpenBSD firewall for a couple of years now. I
> > don't always run the latest OS version, I'm running v3.2. I'm hosting
> > servers for several domains behind the firewall, and had no trouble
> > setting up unique IP addresses and managing ports for the first 5
> > servers/domains I configured, so I began to think I knew what I was
> > doing. However, I recently tried to add two more servers/domains, and
> > I can't seem to get through the firewall to them. For example, I can
> > telnet to port 25 from the firewall machine to the private network
> > address of these machines, and I get a response from the mail servers,
> > but if I try from outside the firewall I get no response. I configured
> > pf.conf by cutting, pasting, and editing. Sections for the new
> > domains/servers look like the sections for the functioning
> > domains/servers. Obviously, I need some help, and will need to provide
> > more detailed information. What should I do to get help from this NG??
> >
>
> Posting reelvant information in this NG will generally generate help.
>
> Did you reload the ruleset? pfctl -f /etc/pf.conf. What does tcpdump
> -nettti pflog0 say when you try to access from the outside, beware you
> must log.
>
> EJ
> --
> Remove the obvious part (including the dot) for my email address.
> http://www.vanwesten.net for examples of ipf and pf.
>

Dan Bent wrote:

> Thanks for the helpful response.
>
> Here's what I get with tcpdump, when I try an address in my IP block
> that I expect should be blocked:
> Nov 02 09:56:36.834464 rule 3/0(match): block in on rl0:
> 68.58.115.214.3917
>> 64.72.133.30.25: S 2523218479:2523218479(0) win 16384 <mss
> 1460,nop,nop,sackOK> (DF)
>
> This shows that pf is working and logging.
>
> When I try an address that I expect will work, tcpdump has no output,
> suggesting that the packets pass the filter, as I would expect. So,
> perhaps the problem is elsewhere. What else might I check on?
>
>

Ok. so use tcpdump on incoming and outgoing interfaces to see if the
packets really pass the firewall.

Hmmm, you did configure the default gateway on the new machines, did
you?

BTW, please don't toppost, it gets very hard to follow what's going
on...


HTH,

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

OK, now we're making some progress. Again, using an IP that is working, and
one that is not working, I enabled logging of inbound packets on port 25.
Sure enough, I see the ones for the IP that is working, but not the ones for
the IP that is not working. So, I'm not getting those packets in to the
firewall. Traceroute shows that the packets seem to be bouncing back and
forth between two routers.

I think I"m close to finding the problem, and it doesn't seem to be the
firewall at all! Big thanks for all your help.


"erik" <erik@geenspam.vanwesten.net> wrote in message
news:3fa52c1d$0$58704$e4fe514c@news.xs4all.nl...
> Dan Bent wrote:
>
> > Thanks for the helpful response.
> >
> > Here's what I get with tcpdump, when I try an address in my IP block
> > that I expect should be blocked:
> > Nov 02 09:56:36.834464 rule 3/0(match): block in on rl0:
> > 68.58.115.214.3917
> >> 64.72.133.30.25: S 2523218479:2523218479(0) win 16384 <mss
> > 1460,nop,nop,sackOK> (DF)
> >
> > This shows that pf is working and logging.
> >
> > When I try an address that I expect will work, tcpdump has no output,
> > suggesting that the packets pass the filter, as I would expect. So,
> > perhaps the problem is elsewhere. What else might I check on?
> >
> >
>
> Ok. so use tcpdump on incoming and outgoing interfaces to see if the
> packets really pass the firewall.
>
> Hmmm, you did configure the default gateway on the new machines, did
> you?
>
> BTW, please don't toppost, it gets very hard to follow what's going
> on...
>
>
> HTH,
>
> EJ
> --
> Remove the obvious part (including the dot) for my email address.
> http://www.vanwesten.net for examples of ipf and pf.
>

Dan Bent wrote:

> OK, now we're making some progress. Again, using an IP that is
> working, and one that is not working, I enabled logging of inbound
> packets on port 25. Sure enough, I see the ones for the IP that is
> working, but not the ones for the IP that is not working. So, I'm not
> getting those packets in to the firewall. Traceroute shows that the
> packets seem to be bouncing back and forth between two routers.

I wouldn't have expected otherwise apart from configuration errors. ;-)

>
> I think I"m close to finding the problem, and it doesn't seem to be
> the
> firewall at all! Big thanks for all your help.
>

You're welcome.

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Dan Bent wrote:

> OK, now we're making some progress. Again, using an IP that is
> working, and one that is not working, I enabled logging of inbound
> packets on port 25. Sure enough, I see the ones for the IP that is
> working, but not the ones for the IP that is not working. So, I'm not
> getting those packets in to the firewall. Traceroute shows that the
> packets seem to be bouncing back and forth between two routers.
>
> I think I"m close to finding the problem, and it doesn't seem to be
> the
> firewall at all! Big thanks for all your help.


I wouldn't have expected otherwise apart from configuration errors. ;-)

You're welcome. This is just basic debugging...

EJ
--
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.