Opened 13 years ago
Closed 13 years ago
#187 closed incident (fixed)
ProxyCope geen internet
Reported by: | huub | Owned by: | |
---|---|---|---|
Keywords: | Cc: | ||
Location: | Generiek |
Description
Zelfde verschijnsel als bij ProxyDeClercq:
ProxyCope# fetch -o /dev/null http://www.nu.nl
...
ProxyCope# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted
Is er iets mis met de firewall regels?
ProxyCope# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
pass out on sis0 all flags S/SA keep state (source-track rule, max-src-states 10)
pass on lo0 all flags S/SA keep state
block drop in all
pass in on sis0 inet proto tcp from any to 83.162.36.91 port = ssh flags S/SA keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.8.68 port = ssh flags S/SA keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.8.68 port = domain flags S/SA keep state
pass in on sis1 inet proto udp from 172.16.0.0/12 to 172.17.8.68 port = domain keep state
pass in on sis1 inet proto tcp from any to any port = http flags S/SA keep state
pass in on sis1 inet proto tcp from any to any port = https flags S/SA keep state
pass in on sis1 inet proto icmp from 172.16.0.0/12 to 172.17.8.68 keep state
Op ProxyPlantsoen (die het wel goed doet) zie ik:
ProxyPlantsoen# pfctl -s rules
No ALTQ support in kernel
ALTQ related functions disabled
block drop in on sis0 inet from any to 10.0.1.100
block drop in on sis1 inet from any to 172.17.169.66
pass in on sis1 inet proto tcp from 172.16.0.0/12 to any port = http flags S/SA keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to any port = https flags S/SA keep state
pass out on sis1 all flags S/SA keep state
pass out on sis0 all flags S/SA keep state
block drop in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.169.66 port = http
block drop in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.169.66 port = https
pass in on sis1 inet proto udp from 172.16.0.0/12 to 172.17.169.66 port = domain keep state
pass in on sis1 inet proto udp from 172.16.0.0/12 to 172.17.169.66 port = ntp keep state
pass in on sis1 inet proto udp from 172.16.0.0/12 to 172.17.169.66 port = snmp keep state
pass in on sis1 inet proto udp from 172.16.0.0/12 to 172.17.169.66 port = 12345 keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.169.66 port = ssh flags S/SA keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.169.66 port = ntp flags S/SA keep state
pass in on sis1 inet proto tcp from 172.16.0.0/12 to 172.17.169.66 port = 3128 flags S/SA keep state
pass in on sis1 inet proto icmp from 172.16.0.0/12 to 172.17.169.66 keep state
pass in on sis0 inet proto tcp from any to 10.0.1.100 port = ssh flags S/SA keep state
pass in on sis0 inet proto udp from any to 10.0.1.100 port = snmp keep state
pass on sis0 inet from 10.0.0.0/8 to 172.16.0.0/12 flags S/SA keep state
pass on sis0 inet from 192.168.0.0/16 to 172.16.0.0/12 flags S/SA keep state
block drop on sis1 inet from 172.16.0.0/12 to 10.0.0.0/8
block drop on sis1 inet from 172.16.0.0/12 to 192.168.0.0/16
pass in on sis1 all flags S/SA keep state
?
Change History (4)
comment:1 by , 13 years ago
comment:3 by , 13 years ago
stond nog een oude firewall file op, vervangen voor de nieuwste:
ProxyCope# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=22.097 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=21.712 ms
comment:4 by , 13 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Dit is toch kennelijk niet de allernieuwste. Op ProxyLHS staat nog weer een andere pf.conf:
ProxyCope# diff /etc/pf.conf /tmp/pf.conf.LHS
45a46,47
# Otherwise lvrouted breaks:
pass in on $int_if
Nu draait op ProxyCope geen lvrouted, maar het zou wel handig zijn om overal dezelfde pf.conf te gebruiken.
ProxyCope is weer OK, ik kan ook webpagina's ophalen vanaf NodeCope via de proxy. Ook dns werkt.
rc.conf.local:
ileiden_enable="False"
gateway_enable="False"
Python False != rc.conf.local NO