OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter N. M. Hansteen (peter_at_skapet.datadok.no)
Date: Wed Jan 22 2003 - 22:12:07 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    After my old linux home gateway broke down over too many electrical horrors,
    I thought it was time to finally get that part of my home network into the
    OpenBSD fold. Only the gateway is stubbornly refusing to forward any packets!

    the setup is simple. xl0 is the outer interface, which shows up in dmesg as

    xl0 at pci0 dev 9 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 9 address 00:04:76:22:e3:bc
    exphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6

    and ifconfig as

    xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            address: 00:04:76:22:e3:bc
            media: Ethernet autoselect (100baseTX full-duplex)
            status: active
            inet 194.54.107.19 netmask 0xfffffff8 broadcast 194.54.107.23
            inet6 fe80::204:76ff:fe22:e3bc%xl0 prefixlen 64 scopeid 0x1

    xl1 is the inner interface, dmesg shows

    xl1 at pci0 dev 10 function 0 "3Com 3c905B 100Base-TX" rev 0x30: irq 10 address 00:10:5a:86:18:2c
    exphy1 at xl1 phy 24: 3Com internal media interface

    and ifconfig

    xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            address: 00:10:5a:86:18:2c
            media: Ethernet autoselect (10baseT)
            status: active
            inet 192.168.103.1 netmask 0xffffff00 broadcast 192.168.103.255
            inet6 fe80::210:5aff:fe86:182c%xl1 prefixlen 64 scopeid 0x2

    My /etc/sysctl.conf has the requisite line

    net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

    -- I restrict myself to the old-fashioned ipv4 for now, which leads me
    to the next piece of evidence, my /etc/pf.conf (yes, I have pf=YES in /etc/rc.conf)
    which has been reduced to

    nat on xl0 from 192.168.103.0/24 to any -> 194.54.107.17

    - but nothing gets through from anywhere on the inside to the outside world.
    I can ssh in to the gateway, and the gateway communicates with the outside world
    just fine. It's the gatewaying that for some reason just doesn't work. I'm convinced
    I've just overlooked something embarrasingly obvious here.

    pfctl -ss tells me typically (when tracerouting to a well-known web site in Norway):

    bash-2.05b# pfctl -ss
    tcp 192.168.103.1:22 <- 192.168.103.5:32772 ESTABLISHED:ESTABLISHED
    tcp 192.168.103.1:22 <- 192.168.103.5:32773 ESTABLISHED:ESTABLISHED
    udp 192.168.103.5:32768 -> 194.54.107.17:59105 -> 198.41.0.4:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:50471 -> 192.112.36.4:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:60193 -> 198.41.0.10:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:50258 -> 192.36.148.17:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:60529 -> 202.12.27.33:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:50521 -> 128.63.2.53:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:54656 -> 128.9.0.107:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:32768 -> 194.54.107.17:53618 -> 193.0.14.129:53 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:60548 -> 80.232.38.252:33508 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:64107 -> 80.232.38.252:33509 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:57785 -> 80.232.38.252:33510 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:53864 -> 80.232.38.252:33511 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:50879 -> 80.232.38.252:33512 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:58367 -> 80.232.38.252:33513 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:50271 -> 80.232.38.252:33514 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:64135 -> 80.232.38.252:33515 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:55843 -> 80.232.38.252:33516 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:59821 -> 80.232.38.252:33517 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:56775 -> 80.232.38.252:33518 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:56938 -> 80.232.38.252:33519 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:63271 -> 80.232.38.252:33520 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:64001 -> 80.232.38.252:33521 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:60890 -> 80.232.38.252:33522 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:62815 -> 80.232.38.252:33523 SINGLE:NO TRAFFIC
    udp 192.168.103.5:33952 -> 194.54.107.17:51581 -> 80.232.38.252:33524 SINGLE:NO TRAFFIC

    There must be a simple, obvious solution to this one.

    - P