Mor_gath
December 3rd, 2002, 12:25
this is not really a bsd problem more of a Winxp problem, but I have yet to find an answer to the problem so I thought I would aks here.

I have an Obsd 3.1 NAT server and a 3 nodes behind it, the linux box (which I'm typing on now) works great but the Xp boxes every now and then refuse to ping the Obsd box but can ping other nodes on the network.
I have searched on Google and only thing I could find was something about how XP makes it's rpc calls after updating to service pack1.
1Xp box is sharing an printer so when 2Xp box is started 1Xp will have problem's reaching the net and vice versa.
it's fairly annoying not to be able to reach the net, and my parents arn't to happy sitting on a linux box.
1Xp will have problem reaching the net also if 2Xp is not online, but sometimes if I leave it on for an X ammount of time it will get axx to the net i'm not really a network guy som I'm fairly lost to what to do.
I did check in to disabling rpc service in Xp but almost every service depended on it, so I would have to disable almost every network service Xp has to be able to disable rpc.

nat.conf
[code:1:94f5327336]
wan="dc1"
nat on $wan from 192.168.1.0/24 to any -> $wan
[/code:1:94f5327336]
pf.conf
[code:1:94f5327336]
#last edit 2002-11-29 friday
#to view pflog
#tcpdump -n -e -ttt -r /var/pflog
#to tail pflog
#tcpdump -n -e -ttt -i pflog0
#set up some variabels
ext="dc1"
int="dc0"
protected=" { 192.168.1.2, 192.168.1.3, 192.168.1.4 } "
me=" { 192.168.1.2, 192.168.1.3 } "
windows="192.168.1.2"
linux="192.168.1.3"
st="keep state"
flagrule="flags S/SA"
#if no route exsist we will block right away
block in quick from no-route to any
#default policy so if nothing matches it will be blocked
#block rules
block out on $ext all
block in on $ext all
block out on $ext proto tcp all
block in on $ext proto tcp all
block in on $ext proto udp all
block out on $ext proto udp all
block in quick on $ext proto tcp from any port 22 to $ext port 22
#antispoofing
block in quick on $ext from 127.0.0.1/8 to any
block out quick on $ext from any to 127.0.0.1/8
#dns dhcp
pass in quick on $ext proto { tcp, udp } from 195.54.121.228 to $protected port { 53 }
pass in quick on $ext proto { tcp, udp } from 195.54.122.193 to $protected port { 53 }
pass in quick on $ext proto { tcp, udp } from 195.54.112.136 to $ext port { 52<>56 }

# ICMP let me ping internely
pass out on $int inet proto icmp all $st
pass in on $int inet proto icmp all $st

# UDP
pass out log on $ext proto udp all $flagrule $st

# TCP outbound traffic must always be allowed otherwise we can't have a default policy.
pass out log on $ext proto tcp all $st

# WWW 443 && 8080 == https
pass in log on $ext proto tcp from any port { 80,443,8080 } to $protected port { 80,443,8080 } $flagrule $st

# AUTH
pass in log on $ext proto tcp from any port { 113 } to $me port { 113 } $flagrule $st

# irc
pass in log on $ext proto tcp from any port { 6666<>7001 } to $me port { 6666<>7001 } $flagrule $st

# ICQ
pass in log on $ext proto tcp from 205.188.179.233 port { 5190 } to $me port { 5190 } $flagrule $st
pass out log on $ext proto tcp from $me port 5190 to 205.188.179.233 port 5190 $flagrule $st

#winmx
pass in log on $ext proto tcp from any port 6699 to $windows port 6699 $flagrule $st
#icq filetranfser ports
pass in log on $ext proto tcp from any port { 65500<>65535 } to $linux port { 65500<>65535 } $flagrule $st
[/code:1:94f5327336]
don't know if pf and nat.conf is needed but here they are anyway.
Thnx for any help

Strog
December 4th, 2002, 11:32
I have a similar setup but haven't seen the problem you are describing. I have 2 XP Pro SP1 boxes behind my OpenBSD firewall. Where I deviate from you is that my firewall is a post-3.1 snapshot that was taken after the openssh fixes. My rules are a little less sophisticated than yours.

I'm still learning pf syntax and building mine as I go but there's some things in yours that make me wonder. Perhaps there is an issue here but we need to get some people that are more familar with the in's and out's of pf.

Why are you passing ICMP in when you already have a rule passing it out with keep state to let it back in? Just an example and maybe there's a good answer.

Are these XP boxes Home or Pro?

Have you applied any patches?

Mor_gath
December 4th, 2002, 12:39
about icmp true, changed that and yes have applied all security and other patches. The Xp boxes are pro both.
update-
well for some strange reason if I try and ping firstly my Linux box then my Xp it comes online, this I don't understand really...

elmore
December 4th, 2002, 15:43
HAve you looked at any of the other pf thread questions here on se?

http://screamingelectron.org/phpBB2/viewforum.php?f=21
http://screamingelectron.org/phpBB2/viewtopic.php?t=16
http://screamingelectron.org/phpBB2/viewtopic.php?t=42

To get you started,

If have one suggestion your nat.conf says:

[code:1:fa1a714661]
wan="dc1"
nat on $wan from 192.168.1.0/24 to any -> $wan
[/code:1:fa1a714661]


Do something more like this:

[code:1:fa1a714661]
ext_if = "dc0"
nat on $ext_if inet from 192.168.1.0/24 to any -> $Ext_if
[/code:1:fa1a714661]

Look at some of the rule examples, a default deny for incoming, an allow for outgoing traffic minus your no route ip's plus add your keep states.

Mor_gath
December 4th, 2002, 17:34
nat on $ext_if inet from 192.168.1.0/24 to any -> $Ext_if
complained about inet wouldn't accept it.
I tried reseting my pf.conf to
pass all in
pass out all

did no diffrence

bsdjunkie
December 4th, 2002, 18:02
nat on $ext_if inet from 192.168.1.0/24 to any -> $Ext_if
complained about inet wouldn't accept it.
I tried reseting my pf.conf to
pass all in
pass out all


the inet is not needed.
nat on $ext_if from 192.168.1.0/24 to any -> $Ext_if

dont know if you had a typo here or in the rules, but its also
pass in all (not pass all in)

StatiK76
December 4th, 2002, 18:40
I have a difficult time understanding why we are troubleshooting your nat.conf (pf.conf respectively). You should always be able to ping your internal interface on your gateway / router / firewal / whatever. You describe a problem of being unable to ping sometimes ONLY from the XP boxen, and have internet connectivity issues when one or more XP box is online .. ? This seems strange ... But I definately do not believe it to be your rules. (yes - there are some improvements that could be made ... But who cares - i could improve mine as well).

I have an XP (pro) box behind a similar setup as yourself (as well do about 30 other users here) .. I think we would be barking up the wrong tree if we assumed it was XP that had difficulties pinging an openBSD box that allows ICMP. I have every service pack, security fix, critical update, version update, OS update, supernifty update, and general patch EVER made for XP (YES!! All 416 million of them) - and have never ran into such an issue.

Have you concidered the possibility that it may be hardware related? A flaky nick? A bad cable? A shitty switch? etc...

When you attempt these ping's - are they timing out? What are you recieving in response? Also - when you 'lose' connectivity to the net from one of your XP boxes - are you able to move around the internal network still (aside from ping etc .. can you SSH to the gateway? Can you get out from the gateway??

Sorry for all the questions - I just see most of the people here troubleshooting your NAT and PF, and I think the thread needs to be refocussed to the topic at hand ..

StatiK76

elmore
December 4th, 2002, 19:25
the inet is not needed.
nat on $ext_if from 192.168.1.0/24 to any -> $Ext_if



I've always used inet, I've never had any problems using it. Statiks point is well taken however.

What about running a traceroute or tracert I guess in windows to an internet web site, then to the external iface of your firewall then to the internal iface of your firewall. I don;t know I'm just throwing things out.

frisco
December 4th, 2002, 22:48
the inet is not needed.
nat on $ext_if from 192.168.1.0/24 to any -> $Ext_if



I've always used inet, I've never had any problems using it.

as i recall there was a bit period where inet was needed, i think it was 3.1-current to just before 3.2-pre.

bsdjunkie
December 4th, 2002, 23:26
I think your right, but looking into the FAQ for 3.2, its no longer necessary.

Mor_gath
December 6th, 2002, 09:00
well posted on a couple of forums and no-one seams to have any problem's with winxp clients so it's probloby bad nic/cable or some settings on the winxp machines.
Thnx for all tips.