[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Very Annoying problem... blocks everything...
Dosn't matter what IP address on any interface you ping. All comes back
with the same thing.
I turned on logging to see what wasn't making and such. I'm seeing DNS
requests getting blocked...
Routing is not an issue. The packets (ICMP, et al) are getting blocked.
I do a pfctl -f /etc/pf.conf -e and I can't ping anything... I do a
pfctl -d to turn it off... and everything goes back to working just fine.
With one of them blocking ping packets when it shouldn't... take the
"server network" for example. It has full access to the firewall, and the
firewall has full access to it.
But it can't ping anything on that network...
From: Daniel Hartmeier [mailto:email@example.com]
Sent: Monday, December 16, 2002 5:27 PM
Cc: firstname.lastname@example.org; email@example.com
Subject: Re: Very Annoying problem... blocks everything...
Your rule set is too large for me to debug without actually running it.
But you can debug it step by step yourself:
All your rules use 'quick', and you say the packets get blocked by the
last two 'block' rules. That means the packets don't match a 'pass' rule
that you expect them to match.
You'll have to go through all connections that don't work and follow the
same procedure, I'll just show it for the example you gave.
When you ping 192.168.3.250 64 from the firewall, what interface do
these pings get routed through? It's not clear from your pf.conf, but
it might be dc1.
What source IP address is the firewall using for the pings to
192.168.3.250? You can run tcpdump on the interface they pass out
through to find out, if it's not clear from ifconfig output.
So, now you know what interface the pings should go out through and what
source and destination address they have.
Now go through all your 'pass on dc1' rules, manually. You assume one of
them should match these pings, but none of them does. That's why the
final 'block' rules are the first and last matching rules.
Maybe you forgot to allow a source or destination address on that
interface, or a protocol, etc.
I'd start with pinging hosts in all networks from the firewall, until
that works. Then ping host across networks, in all combinations.