I am not sure what I did to break this box. It was working fine, before
I added the third network card (ne1) for the transparent bridge
for remote logging.

I was able to ping (and do other stuff) from the internal network
to the world. now I can only ping the world from the firewall.
Network traffic to the firewall is no problem. It just looks like
the thing does not forward anything.

and in /etc/sysctrl I do have
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

I also activated ipfiler and ipnat in rc.conf

netstat -rn
Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 195.198.203.113 UGS 3 9525 1500 ep0
10.1.2/24 link#1 UC 0 0 1500 xl0
10.1.2.2 link#1 UHL 1 28 1500 xl0
10.1.2.198 link#1 UHL 2 0 1500 xl0
10.1.2.199 link#1 UHL 2 0 1500 xl0
10.1.3.0/29 10.1.2.199 UGS 0 0 1500 xl0
10.1.3.8/29 10.1.2.199 UGS 0 0 1500 xl0
127/8 127.0.0.1 UGRS 0 0 32972 lo0
127.0.0.1 127.0.0.1 UH 4 43 32972 lo0
131.115.162.63/32 10.1.2.198 UGS 0 0 1500 xl0
192.168.133/24 link#3 UC 0 0 1500 ne1
193.44.158.36/32 10.1.2.198 UGS 0 0 1500 xl0
195.198.203.112 127.0.0.1 UGHS 0 0 32972 lo0 =>
195.198.203.112/29 link#2 UC 0 0 1500 ep0
195.198.203.113 0:2:b9:a5:ac:30 UHL 1 0 1500 ep0
224/4 127.0.0.1 URS 0 0 32972 lo0

block in on ep0
block in quick on ep0 from 0.0.0.0/32 to any
block in quick on ep0 from any to 255.255.255.255/32
 
# spoofing protection
block in quick on ep0 from 192.168.0.0/16 to any
block in quick on ep0 from 172.16.0.0/12 to any
block in quick on ep0 from 10.0.0.0/8 to any
block in quick on ep0 from 127.0.0.0/8 to any
block in log quick on ep0 from 195.198.203.114/32 to any
 
pass out quick on ep0 proto tcp/udp from any to any keep state
pass out quick on ep0 proto icmp from any to any keep state
 
pass in quick on ep0 proto tcp from any to 195.198.203.114/32 port = 22 flags S keep state
pass in quick on ep0 proto tcp from any to 195.198.203.114/32 port = 25 flags S keep state
pass in quick on ep0 proto tcp from any to 195.198.203.114/32 port = 113 flags S keep state
 
# Passing on isakmpd traffic from and to schuldei
pass in on ep0 proto udp from 195.84.105.112/32 port = 500 to 195.198.203.114/32 port = 500
pass out on ep0 proto udp from 195.198.203.114/32 port = 500 to 195.84.105.112/32 port = 500
 
# Passing on isakmpd traffic from and to utilator
pass in on ep0 proto udp from 195.84.181.91/32 port = 500 to 195.198.203.114/32 port = 500
pass out on ep0 proto udp from 195.198.203.114/32 port = 500 to 195.84.181.91/32 port = 500
 
# Passing on isakmpd traffic from and to frontyard
pass in on ep0 proto udp from 194.236.153.216/32 port = 500 to 195.198.203.114/32 port = 500
pass out on ep0 proto udp from 195.198.203.114/32 port = 500 to 194.236.153.216/32 port = 500
 
# Passing on encrypted traffic from and to schuldei
pass in quick on ep0 proto esp from 195.84.105.112/32 to 195.198.203.114/32
pass out quick on ep0 proto esp from 195.198.203.114/32 to 195.84.105.112/32
 
# Passing on encrypted traffic from and to utilator
pass in quick on ep0 proto esp from 195.84.181.91/32 to 195.198.203.114/32
pass out quick on ep0 proto esp from 195.198.203.114/32 to 195.84.181.91/32
 
# Passing on encrypted traffic from and to frontyard
pass in quick on ep0 proto esp from 194.236.153.216/32 to 195.198.203.114/32
pass out quick on ep0 proto esp from 195.198.203.114/32 to 194.236.153.216/32

# Allow packets to pass from the internal (local) side of the VPN
# to the internal (remote) side of the VPN. This traffic will get
# encapsulated within the VPN tunnel on enc0 before going
# out the physical interface.
 
pass out quick on xl0 from 192.168.31.0/24 to 10.1.2.0/24
pass in quick on xl0 from 10.1.2.0/24 to 192.168.31.0/24
 
pass out quick on xl0 from 10.0.1.0/24 to 10.1.2.0/24
pass in quick on xl0 from 10.1.2.0/24 to 10.0.1.0/24
 
pass out quick on xl0 from 192.168.1.0/24 to 10.1.2.0/24
pass in quick on xl0 from 10.1.2.0/24 to 192.168.1.0/24
 
# If packets are on the encrypted interface, enc0, they have been
# authenticated / decrypted. Pass them.
pass in quick on enc0
pass out quick on enc0

map ep0 10.1.2.0/24 -> 195.198.203.114/32 proxy port ftp ftp/tcp
map ep0 10.1.2.0/24 -> 195.198.203.114/32 portmap tcp/udp 40000:60000
map ep0 10.1.2.0/24 -> 195.198.203.114/32

xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet 10baseT (10baseT half-duplex)
        inet 10.1.2.1 netmask 0xffffff00 broadcast 10.1.2.255
        inet6 fe80::2a0:24ff:fee5:4a38%xl0 prefixlen 64 scopeid 0x1
ep0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet 10baseT
        status: active
        inet 195.198.203.114 netmask 0xfffffff8 broadcast 195.198.203.119
        inet6 fe80::2a0:24ff:fe7a:1f50%ep0 prefixlen 64 scopeid 0x2
ne1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        media: Ethernet manual
        inet 192.168.133.2 netmask 0xffffff00 broadcast 192.168.133.255
        inet6 fe80::260:52ff:fe03:5358%ne1 prefixlen 64 scopeid 0x3

OpenBSD 2.8-current (GENERIC) #571: Wed Mar 14 20:17:01 MST 2001
    deraadti386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (Klamath) ("GenuineIntel" 686-class, 512KB L2 cache) 266 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SYS,MTRR,PGE,MCA,CMOV,MMX
real mem = 66695168 (65132K)
avail mem = 56635392 (55308K)
using 839 buffers containing 3436544 bytes (3356K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 04/08/97, BIOS32 rev. 0 0xfd9f0
apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) (BIOS managing devices)
apm0: AC on, battery charge unknown
pcibios0 at bios0: rev. 2.1 0xf0000/0x10000
pcibios0: PCI BIOS has 6 Interrupt Routing table entries
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xe9000/0x1000! 0xea000/0x2000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 7 function 0 "Intel 82371SB PCI-ISA" rev 0x01
pciide0 at pci0 dev 7 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <IBM-DHEA-36480>
wd0: 16-sector PIO, LBA, 6150MB, 12496 cyl, 16 head, 63 sec, 12595968 sectors
pciide0: channel 0 interrupting at irq 14
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <NEC, CD-ROM DRIVE:285, 3.05> SCSI0 5/cdrom removable
pciide0: channel 1 interrupting at irq 15
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
vga1 at pci0 dev 11 function 0 "S3 Trio32/64" rev 0x00
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
xl0 at pci0 dev 15 function 0 "3Com 3c900 10Mbps-Combo" rev 0x00: irq 9 address 00:a0:24:e5:4a:38
xl0: selecting 10baseT transceiver, half duplex
ep0 at pci0 dev 19 function 0 "3Com 3c590 10Mbps" rev 0x00: address 00:a0:24:7a:1f:50, utp/aui/bnc default utp irq 9
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
ne1 at isa0 port 0x300/32 irq 10
ne1: NE2000 Ethernet
ne1: address 00:60:52:03:53:58
eg0: can't map I/O space
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask c040 netmask c640 ttymask c642
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]