ipf problems
From: Eric Enright (eric.enright_at_gmail.com)
Date: 04/16/05
- Next message: Paul Floyd: "Re: The GPL 3.0 fiasco will make OpenSolaris #1"
- Previous message: Måns Rullgård: "Re: implicit -e in Solaris /bin/sh on cd?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 16 Apr 2005 14:44:34 -0500
I'm experiencing a weird problem with ipfilter/ipnat. I am forwarding
some ports (specifically Apache is where this cropped up first) with
my router which is a sparc running S10 FCS.
The problem is, the router is randomly refusing the connections.
Only about half of them make it through fine. The router is not under
heavy load, on average handling ~250 connections at a time. Watching
with snoop, I can see that these connection attempts are never
being forwarded to the internal machine at all.
This issue seems to be restricted only to ports I am forwarding.
Here is some relevant configuration:
# ipf.conf
# mxfe0 is the external interface, hme0 the internal
# trust internal devices
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
# default to blocking everything else
block in all
block out all
# allow new outbound connections
pass out quick on mxfe0 proto tcp from any to any keep state keep frags
pass out quick on mxfe0 proto udp from any to any keep state keep frags
pass out quick on mxfe0 proto icmp from any to any keep state
# redirected ports
pass in quick on mxfe0 proto tcp from any to any port = 80 flags S keep state
# ipnat.conf
map mxfe0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map mxfe0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map mxfe0 192.168.0.0/24 -> 0/32
rdr mxfe0 0.0.0.0/0 port 80 -> 192.168.0.120 port 80
Any ideas?
Thanks,
Eric
- Next message: Paul Floyd: "Re: The GPL 3.0 fiasco will make OpenSolaris #1"
- Previous message: Måns Rullgård: "Re: implicit -e in Solaris /bin/sh on cd?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
