Very Computer

I have been trying to convert a firewall from ipfwadm to ipchains, and
am having no luck at all in getting the proper behaviour. I am
suspicious that there is a bug, because I don't see any problem in the
simple setup.

The config is a firewall connected through a dialup via ppp to a three
bit subnet if fixed addresses and some 192.168.x.x hosts to be supported
via masquerade. I have totally removed the prive net and physically
removed the NIC to avoid complexity.

I want all packets arriving at the firewall for the visible subnet to be
forwarded, except the packets for a telnet port. Therefore I set
forwarding policy to DENY, then explicitly denied packets to any of the
subnet addresses.

       <<PPP>>                   <<10base2>>
(ISP)================(firewall)================(subnet)
199.4.52.6   199.4.52.7      199.4.52.206       199.4.52.200..207

At this point I can happily telnet into 199.4.52.206 from the outside,
packets for another IP on the firewall now seem to totally bypass the
chains... So I tried another hack, I deny all packets to the subnet,
telnet port, on interface ppp0 (you can check the wide detailed list for
that). I guess input drop doesn't work either, I can still telnet to the
206 NIC of the firewall.

More info after to listings...

================ Fig 1, ipchains listing
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
DENY       tcp  ------  0.0.0.0/0             199.4.52.200/30      * ->   23
Chain forward (policy DENY):
DENY       tcp  ------  0.0.0.0/0             199.4.52.200/30      * ->   23
ACCEPT     all  ------  0.0.0.0/0             199.4.52.200/30      n/a
ACCEPT     all  ------  199.4.52.200/30      0.0.0.0/0             n/a
Chain output (policy ACCEPT):

================ Fig 2, ipchains with detail
Chain input (policy ACCEPT: 33923 packets, 8797916 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source                destination           ports
    0     0 DENY       tcp  ------ 0xFF 0x00  ppp0                           0.0.0.0/0             199.4.52.200/30      * ->   23
Chain forward (policy DENY: 0 packets, 0 bytes):
    0     0 DENY       tcp  ------ 0xFF 0x00  *                              0.0.0.0/0             199.4.52.200/30      * ->   23
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                              0.0.0.0/0             199.4.52.200/30      n/a
    0     0 ACCEPT     all  ------ 0xFF 0x00  *                              199.4.52.200/30      0.0.0.0/0             n/a
Chain output (policy ACCEPT: 34589 packets, 5281335 bytes):

I note that the forward chain doesn't have any counts, which increases
my suspicion that the kernel is leaking packets between interfaces
without going through the chains.

This kernel 2.1.106p4, I tried 2.1.125 without any additional luck, and
this kernel has been too stable to upgrade unless a new one works
better.

Is this ipchains stuff just too new to work right, or are the chains
"last match" instead of first, or ???

I can't readily use an out of subnet IP for the NIC, some systems are
not very net smart, and in production I will have a 199.4.52.xx NIC and
192.168.x.x NIC, and will only deny packets from the ppp0 interface.

For now ipfwadm on 2.1.101 solves my problem.
--

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
--
--

  CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.