[geeks] ipfilter and qe card

Greg A. Woods woods at weird.com
Wed Jan 16 13:43:11 CST 2002 

[ On Wednesday, January 16, 2002 at 07:25:46 (-0800), David Selders wrote: ]
> Subject: [geeks] ipfilter and qe card
>
> Ok.... I have tried everything I can think of to get this to work.  So
> I need some help.  I have a IPC that I want to use a gateway for my DSL
> connection.  The IPC has a quad ethernet card in it (501-2062).  I can
> configure the interfaces on the card no problem.

VERY nice.  I wish I had the same for my SS2.  It would make an oh-so-much
better firewall/router than the stupid Pentium piece-of-crap box I have
doing the job now.  A quad card would even give me a spare port.
Trouble is finding a quad card here in Canada is none too cheap a
proposition.  The only good thing about the pentium is that it runs
SSH-2 reasonably fast.

>  I have installed
> ipfilter.
> 
> ipf -V
> ipf: IP Filter: v3.4.22 (244)
> Kernel: IP Filter: v3.4.22
> Running: yes
> Log Flags: 0 = none set
> Default: pass all, Logging: available
> Active list: 1

Very nice.  I really should upgrade my version of IP Filter too, but I'm
using NetBSD and they way they did the integration an upgrade is a real
pain.

> Set up ipnat.conf and ipf.conf with rules.  I then fired up ipf and all
> appeared well.  Everything works great from the IPC itself.  The problem
> appears when using an internal machine.  From a internal machine you can
> ping, and traceroute out to the internet with no problem.  If you try
> and use a browser to surf the net it just loads a blank white page.
> When I try wget connection reset by peer.  FTP also fails. 

What happens if you telnet to some remote host (eg. to port 25 or 80)
and try to send/receive data?  FTP is the very last protocol you want to
mess with when testing any NAT/firewall.

Have you run 'tcpdump -n -vvv -i qe0' (i.e. looked at what's going out
your external interface)?


> The contents
> of my ipnat.conf are:
> 
> map qe0 192.168.1.0/24 -> a.b.c.d/32 proxy port ftp ftp/tcp
> map qe0 192.168.1.0/24 -> a.b.c.d/32 portmap tcp/udp 30000:60000
> map qe0 192.168.1.0/24 -> a.b.c.d/32 

You might want to use "0/32" instead of "a.b.c.d/32".  That way you
don't have to edit ipnat.conf if your external IP changes -- just run
"ipf -y".

What about the ipf.conf file?

Are you running "ipmon -D -a -s"?  What's showing up in your log files,
if anything?

> I have searched google to no end, so I am at a loss for what is going
> on.  I have most likely overlooked some minor detail knowing me.  So a
> second pair of eyes is greatly appreciated.

I presume you've read the entire IP-Filter site, and especially the
"how-to" linked from there....

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods at acm.org>;  <g.a.woods at ieee.org>;  <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list