My servers Dreamer and Wren each have two interfaces, connected to two routers. The re0 interfaces are connected to the 192.168.14.* subnet, and the re1 interfaces are connected to the 192.168.1.* subnet. The 192.168.1.* subnet originates at a Verizon router, which is also upstream from an Asus router where the 192.168.14.* subnet originates.
I can ping() Dreamer from Wren on 192.168.14.199 any time, whether ipfw() is running or not. However, if I try to ping() Dreamer from Wren on 192.168.1.199, it only works when ipfw() is not running. That points a really suspicious finger at my ipfw() configuration, and I've gone through so many rule combinations trying to get this to work I'm at a loss to figure it out.
Ping success looks like this:
Ping failure looks like this:
This is the ping() target (Dreamer) that is not responding as expected:
Right now I have these rules in the Dreamer (ping() target) ipfw() configuration:
In Dreamer's /var/log/security, I see entries such as these when ping() is failing on 192.168.1.199:
When ping() works on 192.168.14.199, I see entries such as these in Dreamer's /var/log/security:
In /etc/inetd.conf on Dreamer (the ping() target) I have
(I added the "-l" flags to try to get logging to occur when adding the flag in /etc/rc.conf had no effect - and it didn't do anything here, either.)
In /etc/rc.conf on Dreamer I have
where adding the "-d" flag apparently prevented inetd() from disconnecting from the console, and generated this output:
(The inetd() "-d" flag was a temporary experiment, not present during most of my testing, and now permanently removed.)
Are my ipfw() rules for ICMP wrong, or is there something else going on that I'm not properly taking into account?
For bonus points, where is the inetd() logging output going? ... and is there any documentation for the format and contents of the ipfw() log entries in /var/log/security (e.g., what do all of those UNKNOWN marks mean)?
I can ping() Dreamer from Wren on 192.168.14.199 any time, whether ipfw() is running or not. However, if I try to ping() Dreamer from Wren on 192.168.1.199, it only works when ipfw() is not running. That points a really suspicious finger at my ipfw() configuration, and I've gone through so many rule combinations trying to get this to work I'm at a loss to figure it out.
Ping success looks like this:
Code:
# ping 192.168.14.199
PING 192.168.14.199 (192.168.14.199): 56 data bytes
64 bytes from 192.168.14.199: icmp_seq=0 ttl=64 time=0.204 ms
64 bytes from 192.168.14.199: icmp_seq=1 ttl=64 time=0.188 ms
64 bytes from 192.168.14.199: icmp_seq=2 ttl=64 time=0.162 ms
64 bytes from 192.168.14.199: icmp_seq=3 ttl=64 time=0.160 ms
64 bytes from 192.168.14.199: icmp_seq=4 ttl=64 time=0.176 ms
64 bytes from 192.168.14.199: icmp_seq=5 ttl=64 time=0.176 ms
^C
--- 192.168.14.199 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.160/0.178/0.204/0.015 ms
Code:
# ping 192.168.1.199
PING 192.168.1.199 (192.168.1.199): 56 data bytes
^C
--- 192.168.1.199 ping statistics ---
239 packets transmitted, 0 packets received, 100.0% packet loss
Code:
# uname -a
FreeBSD Dreamer.FKEinternet.net 10.2-RELEASE FreeBSD 10.2-RELEASE #0: Mon Oct 5 23:53:36 EDT 2015 root@Dreamer.FKEinternet.com.:/usr/obj/usr/src/sys/GENERIC amd64
Right now I have these rules in the Dreamer (ping() target) ipfw() configuration:
Code:
# ipfw list | grep check
00101 check-state log
# ipfw list | grep icmp
00235 allow log icmp from me to any icmptypes 8 via re0
00236 allow log icmp from me to any icmptypes 8 via re1
00237 allow log icmp from any to me icmptypes 0 via re0
00238 allow log icmp from any to me icmptypes 0 via re1
00239 allow log icmp from any to me icmptypes 11 via re0
00240 allow log icmp from any to me icmptypes 11 via re1
00250 allow log icmp from any to any out via re0 keep-state
00251 allow log icmp from any to any out via re1 keep-state
00510 allow log icmp from any to any in via re0
00511 allow log icmp from any to any in via re1
Code:
Mar 26 10:53:25 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Mar 26 10:53:26 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Mar 26 10:53:27 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Mar 26 10:53:28 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Mar 26 10:53:29 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Mar 26 10:53:30 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.1.201 192.168.1.199 in via re1
Code:
Mar 26 11:05:00 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:8.0 192.168.14.201 192.168.14.199 in via re0
Mar 26 11:05:00 Dreamer kernel: ipfw: 250 Accept ICMP:8.0 192.168.14.201 192.168.14.199 in via re0
Mar 26 11:05:00 Dreamer kernel: ipfw: 101 UNKNOWN ICMP:0.0 192.168.14.199 192.168.14.201 out via re0
Mar 26 11:05:00 Dreamer kernel: ipfw: 250 Accept ICMP:0.0 192.168.14.199 192.168.14.201 out via re0
Code:
echo stream tcp nowait root internal -l
echo stream tcp6 nowait root internal -l
echo dgram udp wait root internal -l
echo dgram udp6 wait root internal -l
In /etc/rc.conf on Dreamer I have
Code:
hostname="Dreamer.FKEinternet.net"
defaultrouter="192.168.1.1"
#
ifconfig_re0="inet 192.168.14.69 netmask 255.255.252.0"
ifconfig_re0_alias0="inet 192.168.14.253 netmask 255.255.252.0"
ifconfig_re0_alias1="inet 192.168.14.199 netmask 255.255.252.0"
ifconfig_re0_alias2="inet 192.168.14.202 netmask 255.255.252.0"
#
ifconfig_re1="inet 100.0.193.99 netmask 255.255.255.0"
ifconfig_re1_alias0="inet 192.168.1.199 netmask 255.255.255.0"
ifconfig_re1_alias1="inet 100.0.193.102 netmask 255.255.255.0"
ifconfig_re1_alias2="inet 192.168.1.202 netmask 255.255.255.0"
#
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 255.255.255.255" # ns2 for second domain
#
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
firewall_logging="YES"
inetd_enable="YES"
inetd_flags="-l -d"
Code:
# service inetd restart
Stopping inetd.
Waiting for PIDS: 12630.
Starting inetd.
ADD : pop3 proto=tcp accept=1 max=0 user=root group=(null)class=daemon builtin=0x0 server=/usr/local/libexec/qpopper policy=""
inetd: pop3/tcp: ipsec initialization failed; in entrust
inetd: pop3/tcp: ipsec initialization failed; out entrust
inetd: enabling pop3, fd 4
inetd: registered /usr/local/libexec/qpopper on 4
ADD : pop3s proto=tcp accept=1 max=0 user=root group=(null)class=daemon builtin=0x0 server=/usr/local/libexec/qpopper policy=""
inetd: pop3s/tcp: ipsec initialization failed; in entrust
inetd: pop3s/tcp: ipsec initialization failed; out entrust
inetd: enabling pop3s, fd 5
inetd: registered /usr/local/libexec/qpopper on 5
ADD : echo proto=tcp accept=1 max=0 user=root group=(null)class=daemon builtin=0x60b6f0 server=internal policy=""
inetd: echo/tcp: ipsec initialization failed; in entrust
inetd: echo/tcp: ipsec initialization failed; out entrust
inetd: enabling echo, fd 6
inetd: registered internal on 6
ADD : echo proto=tcp accept=1 max=0 user=root group=(null)class=daemon builtin=0x60b6f0 server=internal policy=""
inetd: echo/tcp: ipsec initialization failed; in entrust
inetd: echo/tcp: ipsec initialization failed; out entrust
inetd: enabling echo, fd 7
inetd: registered internal on 7
ADD : echo proto=udp accept=1 max=1 user=root group=(null)class=daemon builtin=0x60b710 server=internal policy=""
inetd: echo/udp: ipsec initialization failed; in entrust
inetd: echo/udp: ipsec initialization failed; out entrust
inetd: enabling echo, fd 8
inetd: registered internal on 8
ADD : echo proto=udp accept=1 max=1 user=root group=(null)class=daemon builtin=0x60b710 server=internal policy=""
inetd: echo/udp: ipsec initialization failed; in entrust
inetd: echo/udp: ipsec initialization failed; out entrust
inetd: enabling echo, fd 9
inetd: registered internal on 9
Are my ipfw() rules for ICMP wrong, or is there something else going on that I'm not properly taking into account?
For bonus points, where is the inetd() logging output going? ... and is there any documentation for the format and contents of the ipfw() log entries in /var/log/security (e.g., what do all of those UNKNOWN marks mean)?