very strange problem

Matt Douhan mdouhan at fruitsalad.org
Sat Jul 12 12:10:30 PDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello

I am running FBSD on two firewalls in a scenario like below

internet
|
FW2
|
DMZ
|
FW1
|
internal LAN

FW1 is running ipf and fw2 is running ipf and ipnat

hosts on the DMZ can access the internet without problems, ping traceroute and 
mail, http all is working nicely and fast.

hosts on the internal LAN however are seing VERY strange things

for example, check this out

9:04pm mdouhan @ [persika] ~ > traceroute www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets
 1  192.168.15.254 (192.168.15.254)  0.698 ms  0.532 ms  0.410 ms
 2  192.168.254.254 (192.168.254.254)  0.781 ms  0.757 ms  0.744 ms
 3  gw-l3-ktv-hc.koping.net (81.16.160.113)  1.210 ms  1.203 ms  1.263 ms
 4  gw-l3-ktv-it.koping.net (81.16.160.6)  1.546 ms  4.123 ms  1.272 ms
 5  rif3-r1-jvg-kop.arrowhead.com (81.216.90.1)  3.336 ms  2.813 ms  2.649 ms
 6  www.cisco.com (198.133.219.25)  1.278 ms  2.610 ms  1.962 ms

the host "persika" is connected on the internal LAN, and is located in Sweden, 
Europe and there is NO way it can get to www.cisco.com in 2-3 ms, and I dont 
have any caching or proxies or anything, besides traceroute does not care 
about that anyway AFAIK

same traceroute from a host on the DMZ shows the correct thing as follows

9:05pm mdouhan @ [ananas] ~ > traceroute www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 64 hops max, 40 byte packets
 1  firewall2 (192.168.254.254)  0.671 ms  0.458 ms  0.438 ms
 2  gw-l3-ktv-hc.koping.net (81.16.160.113)  0.901 ms  0.931 ms  0.878 ms
 3  gw-l3-ktv-it.koping.net (81.16.160.6)  1.416 ms  1.191 ms  1.388 ms
 4  rif3-r1-jvg-kop.arrowhead.com (81.216.90.1)  2.345 ms  2.080 ms  2.705 ms
 5  rif2-cr1-vf-kop.arrowhead.com (81.216.2.1)  1.973 ms  2.173 ms  2.263 ms
 6  rif6-cr1-vf-vst.arrowhead.com (81.216.0.53)  3.785 ms  2.708 ms  2.540 ms
 7  rif3-cr1-vf-oby.arrowhead.com (213.187.195.97)  3.363 ms  16.022 ms  3.862 
ms
 8  rif47-rs1-t4-sto.arrowhead.com (213.187.195.93)  4.769 ms  4.396 ms  3.999 
ms
 9  rif5-cr3-kst-sto.arrowhead.com (81.216.0.137)  5.115 ms  4.624 ms  4.762 
ms
10  Gi14-1-kst-p1.sto.se.sn.net (81.216.0.113)  4.496 ms  4.577 ms  4.666 ms
11  pos2-0.vrt-p1.sto.se.sn.net (213.88.255.245)  4.687 ms  4.757 ms  4.806 ms
12  sl-gw20-sto-2-1.sprintlink.net (80.77.97.89)  4.575 ms  4.526 ms  4.576 ms
13  sl-bb21-sto-12-0.sprintlink.net (80.77.96.98)  4.969 ms  5.132 ms  5.526 
ms
14  sl-bb21-cop-12-0.sprintlink.net (213.206.129.33)  14.034 ms *  13.904 ms
15  sl-bb20-cop-15-0.sprintlink.net (80.77.64.33)  13.942 ms  13.498 ms  
13.966 ms
16  sl-bb21-msq-10-0.sprintlink.net (144.232.19.29)  91.125 ms  102.015 ms  
93.908 ms
17  sl-bb22-rly-15-3.sprintlink.net (144.232.19.98)  96.692 ms  95.680 ms  
96.615 ms
18  sl-bb25-rly-12-0.sprintlink.net (144.232.14.166)  96.692 ms  95.879 ms  
95.900 ms
19  sl-bb23-sj-9-0.sprintlink.net (144.232.20.11)  227.115 ms  241.136 ms  
220.680 ms
20  sl-bb25-sj-14-0.sprintlink.net (144.232.3.250)  181.269 ms  173.322 ms  
164.253 ms
21  sl-gw11-sj-10-0.sprintlink.net (144.232.3.134)  172.763 ms  172.362 ms  
172.324 ms
22  sl-ciscopsn2-11-0-0.sprintlink.net (144.228.44.14)  166.180 ms  166.028 ms  
170.228 ms
23  sjck-dirty-gw1.cisco.com (128.107.239.5)  164.721 ms  166.063 ms  166.174 
ms
24  sjck-sdf-ciod-gw2.cisco.com (128.107.239.110)  172.908 ms  173.340 ms  
173.284 ms
25  www.cisco.com (198.133.219.25)  174.149 ms  174.768 ms *

now here is where it gets really weird, I have tries reinstalling FW1 since it 
seems to be the cause of the problem, I have tries STABLE, CURRENT, 5.1-R all 
with the same result, it does NOT work.

I have tried swapping FW1 and FW2 and the problem stays the same, so it seems 
to be a misconfiguration on my part (or a bug but thats less likely I think) 
but I cannot figure out what it is.

my rules are very simple

on FW1 allow anything out on the external fxp interface with keep state so it 
can get back in.

on FW2 I have a number of BIMAP statements and some NAT statements, BIMAP are 
for the servers where we provide services such as mail, www and ftp.

Any input or ideas would be highly appreciated, this is driving me crazy







- -- 
- ------------------------------------------------------------------------------------
Matt Douhan
www.fruitsalad.org
CCIE #4004
*** ping elvis ***
*** elvis is alive ***
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE/EF0skU5PITZniCURArKOAJ9HuNWbWCJiV0PRMSpFCo5bv4P3aACfXhAn
9G8PqZQeZZ8RUIABr12VA5Q=
=Kda6
-----END PGP SIGNATURE-----

More information about the freebsd-net mailing list