|
||||||||
Jesse Guardiani wrote: > Hello, > > I just placed a 1.2b3 4801 in production today as > a transparent filtering bridge. Neither WAN nor > OPT1 have an IP, and they are bridged together. > > The LAN interface has the subnet 63.99.6.230/27. > > Both the LAN interface and the OPT1 interface are > plugged into the same switch. OPT1 is plugged into > the uplink port and LAN is plugged into a regular > port. The switch is a Cisco Catalyst 1900 series. > > Here are my interfaces: > > <interfaces> > <lan> > <if>sis2</if> > <ipaddr>63.99.6.230</ipaddr> > <subnet>27</subnet> > <media/> > <mediaopt/> > </lan> > <wan> > <if>sis0</if> > <mtu/> > <media/> > <mediaopt/> > <spoofmac/> > </wan> > <opt1> > <if>sis1</if> > <descr>OPT1</descr> > <ipaddr/> > <subnet>31</subnet> > <bridge>wan</bridge> > <enable/> > </opt1> > </interfaces> > > > I have the following rules, ONLY: > > <filter> > <rule> > <type>pass</type> > <interface>wan</interface> > <source> > <any/> > </source> > <destination> > <any/> > </destination> > <descr>WAN: ALL -> ALL</descr> > </rule> > <rule> > <type>pass</type> > <interface>opt1</interface> > <source> > <any/> > </source> > <destination> > <any/> > </destination> > <descr>OPT1: ALL -> ALL</descr> > </rule> > <rule> > <type>pass</type> > <interface>lan</interface> > <source> > <any/> > </source> > <destination> > <any/> > </destination> > <descr>LAN any -> LAN any</descr> > </rule> > <tcpidletimeout/> > </filter> > > HOWEVER, I can't access the LAN IP from a subnet > other than 63.99.6.230/27! To track down the problem, > I ran ipfstat from exec.php: > > $ ipfstat -o > pass out quick on lo0 from any to any > pass out quick on sis2 proto udp from 63.99.6.230/32 port = 67 to any port > = 68 pass out quick on sis0 proto udp from any port = 68 to any port = 67 > pass out quick on sis2 from any to any keep state > pass out quick on sis0 from any to any keep state > pass out quick on sis1 from any to any keep state > block out log quick from any to any > > $ ipfstat -i > pass in quick on lo0 from any to any > block in log quick from any to any with short > block in log quick from any to any with ipopt > pass in quick on sis2 proto udp from any port = 68 to 255.255.255.255/32 > port = 67 pass in quick on sis2 proto udp from any port = 68 to > 63.99.6.230/32 port = 67 block in log quick on sis0 from 63.99.6.224/27 to > any block in log quick on sis0 proto udp from any port = 67 to > 63.99.6.224/27 port = 68 pass in quick on sis0 proto udp from any port = > 67 to any port = 68 block in log quick on sis2 from !63.99.6.224/27 to any > skip 1 in proto tcp from any to any flags S/FSRA > block in log quick proto tcp from any to any > block in log quick on sis2 from any to any head 100 > pass in quick from 63.99.6.224/27 to 63.99.6.230/32 keep state group 100 > pass in quick from any to any keep state group 100 > block in log quick on sis0 from any to any head 200 > pass in quick from any to any keep state group 200 > block in log quick on sis1 from any to any head 300 > pass in quick from any to any keep state group 300 > block in log quick from any to any > > I got the idea from this post: > http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=71&actionargs[]=24 > > It looks like there is perhaps a long-standing bug in > the ruleset generation code. sis2 is my LAN interface. > I don't think this input rule should be there: > > block in log quick on sis2 from !63.99.6.224/27 to any > > I can actually see my incoming port 8082 connections > being blocked on the LAN interface from my logs, so > I know this rule is effective. How do I remove it? I know this was a long post, but could someone take a look at it? I think it may be an important bug/gotcha. -- Jesse Guardiani, Systems Administrator WingNET Internet Services, P.O. Box 2605 // Cleveland, TN 37320-2605 423-559-LINK (v) 423-559-5145 (f) http://www.wingnet.net |