Server connectivity problem (firewall?)

listmail at listmail at
Mon Feb 9 07:42:23 PST 2004

Hardware setup:
MSN <--> DSL <--> [ (nic rl0) fbsd (nic dc0) ] <--> lan

The problem:
	Any operation initiating within the FBSD box works normally 
(such as nslookup, web surfing, and so on). Additionally, any operations 
initated on the LAN side (pings, web surfing, etc.) work just fine 
including browser accesses to the FBSD box's httpd and telnet to the 
FBSD box.
	However, incoming tcp packets on rl0, such as initiating telnet 
connection or packets to apache, smtp connections to sendmail, are 
refused (except ping/echo which works just fine). From dc0 all works 
well. I can't figure out why they are being refused. From the tcpdump it 
appears that they're making it to the FBSD machine (note that they are 
also originated from the same FBSD machine, so they're just going out 
and looping right back.) the Apache httpd and sendmail both run as a 
daemons. All other services are launched by xinetd (I've checked xinetd 
- it's ok and works well from the LAN side).
	I've included sample sessions with tcpdump output, firewall 
rules, etc. below.  Any help at all is greatly appreciated.

>From /etc/rc.conf:

firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_script="/etc/rc.firewall" # Which script to run to set up the 
firewall_type="OPEN"            # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
firewall_logging="YES"          # Set to YES to enable events logging
firewall_flags=""               # Flags passed to ipfw when type is a file
ipfilter_enable="YES"           # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf"    # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
                                # /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags=""               # additional flags for ipfilter

Firewall rules:

brightstar# ipfw show
00050  298  29652 divert 8668 ip from any to any via rl0
00100   12   1464 allow ip from any to any via lo0
00200    0      0 deny ip from any to
00300    0      0 deny ip from to any
65000 2281 207561 allow ip from any to any

IPF is also running (I can't recall why) with the following rules:
pass in all
pass out all

If I remove it from rc.conf I lose the ability to contect via dc0 as well.

Example connection attempts:
Using telnet port 23:

brightstar# telnet
telnet: connect to address Connection refused
telnet: Unable to connect to remote host

Results of  tcpdump -i rl0 port 23

tcpdump: listening on rl0
08:44:40.250722 > 64-131-171- S 3491920571:3491920571(0) win 57344 
<mss 1460,nop,wscale 0,nop,nop,timestamp 149293 0> (DF) [tos 0x10]

08:44:40.251782 > FR 0:0(0) ack 3491920572 win 0 (DF) [tos 0x10]

Using telnet port 80:

brightstar# telnet 80
Connected to
Escape character is '^]'.
Connection closed by foreign host.

Results of tcpdump for port 80 (tcpdump -i rl0 port 80)

08:45:56.334523 > 64-131-171- S 1058522411:1058522411(0) win 57344 <mss 
1460,nop,wscale 0,nop,nop,timestamp 156902 0> (DF) [tos 0x10]

08:45:56.335860 > S 48713728:48713728(0) ack 1058522412 win 16000 
<mss 1446>

08:45:56.339497 > 64-131-171- . ack 1 win 57840 (DF) [tos 0x10]

08:45:57.837910 > F 1:1(0) ack 1 win 16000

08:45:57.838876 > 64-131-171- . ack 2 win 57840 (DF) [tos 0x10]

08:45:57.839222 > 64-131-171- F 1:1(0) ack 2 win 57840 (DF) [tos 0x10]

08:45:57.840615 > FR 48713730:48713730(0) win 0 (DF) [tos 0x10]

More information about the freebsd-questions mailing list