[OmniOS-discuss] networking from a zone
Jim Klimov
jimklimov at cos.ru
Sun Jan 4 12:02:42 UTC 2015
On 4 January 2015 10:42:37 CET, Michael Mounteney <gate03 at landcroft.co.uk> wrote:
>Hello, my server is running a fairly simple firewall. The machine has
>two interfaces:
>
>e1000g0 192.168.0.n/24 connected to the cable modem and the internet.
>e1000g1 192.168.1.1/24 connected to a hub and hence various client
>machines.
>
>The firewall is basically as per http://pastebin.com/4aYyZhJ8 and while
>this works well for the clients, I can't make it work for a zone. I've
>got one zone which shares the e1000g1 interface, which provides various
>internal services which I don't want visible to the outside world, but
>another zone, which shares the e1000g0 interface, I *do* want to be
>able
>to see the outside world, but it won't do much. I can ping an external
>IP address, but can't do ssh (to an IP address) or DNS for example.
>
>Any ideas ? Thanks in expectation.
>
>Michael.
>_______________________________________________
>OmniOS-discuss mailing list
>OmniOS-discuss at lists.omniti.com
>http://lists.omniti.com/mailman/listinfo/omnios-discuss
Now that I looked over your pastebin, a few things pop out:
1) why not use 'head' and 'group' for different directions on different interfaces? This is especially nice for flexibility as you may later add, change or rename interfaces without going all over the ipf.conf file.
2) rules for e1000g0 in/out comms. name the dynamic address for the interface as 'e1000g0/32' which may limit to the GZ address. See if replacing this by the subnet /24 fixes the issue? Does the external LZ have a fixed IP address - you can then pluck in specific rules for its network access then?
3) you start with
block in quick on e1000g0 from 192.168.0.0/16 to any
which may preclude access to your router and other hosts on the external segment, before consulting further rules below (due to quick) - check if you do want this.
Also, before changing anything and after some uptime to gather enough statistics, use 'ipfstat -hion' to see the rule hit counts - especially if any 'allow's do happen after the many 'block quick's. Also instrument all block's with 'log' and check with 'ipmon | grep -w b' what gets thrown away by this firewall.
HTH,
//Jim Klimov
--
Typos courtesy of K-9 Mail on my Samsung Android
More information about the OmniOS-discuss
mailing list