Problems in CP after update to 2.0.2
-
Hello. I'll try to explain my problem.
This is my networks
10.1.0.0/16 Central with some servers
10.2.0.0/16
10.3.0.0/16
10.4.0.0/16On 10.1 and 10.3 I have CP enabled to control the internet use, but to allow trafic from/to all my subnets I create ip rules on "allowed ip addresses" (on 10.3 site like: "both 10.1.0.0/16").
This rules allways have working for me, but since update to 2.0.2, this rules stoped working and I need to enter manually the host server on "allowed hostnames". With this I open internet to that server and I don't want this (without auth).
I've used gitsync, and problem still is here.
Is this a bug?
How can I restrict internet access without affect to my subnets trafffic??Thanks.
-
Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.
Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.
-
Oh and the output of "ipfw table all list" too.
-
Having those IPs in the list for 'both' should allow any IP in those subnets access through the portal without authentication, which may not be what you wanted. You probably just want to list those as 'to' (destination) and not 'both'.
Either way, post the output of "ipfw show" and a screenshot of the Allowed IP Addresses tab and it might help spot the issue.
Hi jimp, thanks for answer.
mmm with this config all worked ok for me, users has to authenticate on portal to go to internet, but traffic on subnets is ok, without need to authenticate. But makes sense what you say. I'll change this and to exec the commands.
I'll come back
-
ipfw show
ipfw: getsockopt(IP_FW_GET): Protocol not available????
ipfw table all list
ipfw: Warn: Failed to get the max tables number via sysctl. Using the compiled in defaults.
The reason was: No such file or directory
ipfw: getsockopt(IP_FW_TABLE_GETSIZE): Protocol not available??? maybe i need to reinstall…
-
It will show that way if CP is disabled.
enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.
-
It will show that way if CP is disabled.
enable CP, reproduce the problem, and then run the commands, and then you can disable CP again.
Okidoki!
ipfw show
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 161 7298 allow ip from any to any layer2 mac-type 0x0806
65302 0 0 allow ip from any to any layer2 mac-type 0x888e
65303 0 0 allow ip from any to any layer2 mac-type 0x88c7
65304 0 0 allow ip from any to any layer2 mac-type 0x8863
65305 0 0 allow ip from any to any layer2 mac-type 0x8864
65307 5 340 deny ip from any to any layer2 not mac-type 0x0800
65310 1665 208814 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
65311 1495 687305 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
65312 0 0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icm ptypes 0
65313 0 0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmp types 8
65314 407 43341 allow ip from table(3) to any in
65315 380 54319 allow ip from any to table(4) out
65316 0 0 pipe tablearg ip from table(5) to any in
65317 0 0 pipe tablearg ip from any to table(6) out
65318 3 176 allow ip from any to table(7) in
65319 0 0 allow ip from table(8) to any out
65320 0 0 pipe tablearg ip from any to table(9) in
65321 0 0 pipe tablearg ip from table(10) to any out
65322 302 54529 allow ip from table(1) to any in
65323 406 430771 allow ip from any to table(2) out
65531 1677 323817 fwd 127.0.0.1,8000 tcp from any to any in
65532 1605 288120 allow tcp from any to any out
65533 24 1722 deny ip from any to any
65534 0 0 allow ip from any to any layer2
65535 0 0 allow ip from any to anyclear
ipfw show
65291 0 0 allow pfsync from any to any
65292 0 0 allow carp from any to any
65301 220 10012 allow ip from any to any layer2 mac-type 0x0806
65302 0 0 allow ip from any to any layer2 mac-type 0x888e
65303 0 0 allow ip from any to any layer2 mac-type 0x88c7
65304 0 0 allow ip from any to any layer2 mac-type 0x8863
65305 0 0 allow ip from any to any layer2 mac-type 0x8864
65307 6 408 deny ip from any to any layer2 not mac-type 0x0800
65310 1716 212566 allow ip from any to { 255.255.255.255 or 10.1.0.1 } in
65311 1594 695797 allow ip from { 255.255.255.255 or 10.1.0.1 } to any out
65312 0 0 allow icmp from { 255.255.255.255 or 10.1.0.1 } to any out icmptypes 0
65313 0 0 allow icmp from any to { 255.255.255.255 or 10.1.0.1 } in icmptypes 8
65314 528 78883 allow ip from table(3) to any in
65315 500 66927 allow ip from any to table(4) out
65316 0 0 pipe tablearg ip from table(5) to any in
65317 0 0 pipe tablearg ip from any to table(6) out
65318 17 828 allow ip from any to table(7) in
65319 6 264 allow ip from table(8) to any out
65320 0 0 pipe tablearg ip from any to table(9) in
65321 0 0 pipe tablearg ip from table(10) to any out
65322 460 74395 allow ip from table(1) to any in
65323 627 682329 allow ip from any to table(2) out
65531 1746 327682 fwd 127.0.0.1,8000 tcp from any to any in
65532 1659 293691 allow tcp from any to any out
65533 29 2062 deny ip from any to any
65534 0 0 allow ip from any to any layer2
65535 0 0 allow ip from any to anyipfw table all list
–-table(1)---
10.1.0.11/32 mac 00:16:35:67:e3:40 0 610 112786
10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 150 16522
---table(2)---
10.1.0.11/32 mac 00:16:35:67:e3:40 0 790 800053
10.1.0.89/32 mac 00:1d:09:0d:6d:68 0 260 354300
---table(3)---
10.1.0.20/32 0 39 10934
10.1.0.60/32 0 0 0
10.1.0.79/32 0 0 0
10.1.0.221/32 0 18 1116
10.1.0.222/32 0 0 0
10.1.0.230/32 0 0 0
10.1.0.234/32 0 0 0
10.1.10.1/32 0 39 2972
10.1.10.2/32 0 3 321
10.1.10.9/32 0 0 0
10.1.10.11/32 0 654 181556
10.1.10.12/32 0 0 0
10.1.10.15/32 0 2 82
10.1.10.17/32 0 12 920
10.1.10.101/32 0 0 0
10.1.10.102/32 0 0 0
10.1.10.103/32 0 0 0
10.1.10.104/32 0 0 0
---table(4)---
10.1.0.20/32 0 41 5836
10.1.0.60/32 0 0 0
10.1.0.79/32 0 0 0
10.1.0.221/32 0 18 1116
10.1.0.222/32 0 0 0
10.1.0.230/32 0 0 0
10.1.0.234/32 0 0 0
10.1.10.1/32 0 39 5355
10.1.10.2/32 0 0 0
10.1.10.9/32 0 0 0
10.1.10.11/32 0 576 68815
10.1.10.12/32 0 0 0
10.1.10.15/32 0 2 80
10.1.10.17/32 0 10 926
10.1.10.101/32 0 0 0
10.1.10.102/32 0 0 0
10.1.10.103/32 0 0 0
10.1.10.104/32 0 0 0
---table(7)---
10.1.0.20/32 0 0 0
10.1.0.60/32 0 0 0
10.1.0.79/32 0 0 0
10.1.10.1/32 0 0 0
10.1.10.2/32 0 0 0
10.1.10.11/32 0 0 0
10.1.10.12/32 0 0 0
10.1.10.15/32 0 0 0
10.1.10.17/32 0 0 0
10.2.0.0/16 0 0 0
10.3.0.0/16 0 8 368
10.4.0.0/16 0 10 472
172.20.0.14/32 0 0 0
172.20.0.240/32 0 0 0
192.168.1.0/24 0 3 216
---table(8)---
10.1.0.20/32 0 0 0
10.1.0.60/32 0 0 0
10.1.0.79/32 0 0 0
10.1.10.1/32 0 0 0
10.1.10.2/32 0 0 0
10.1.10.11/32 0 0 0
10.1.10.12/32 0 0 0
10.1.10.15/32 0 0 0
10.1.10.17/32 0 0 0
10.2.0.0/16 0 0 0
10.3.0.0/16 0 3 132
10.4.0.0/16 0 3 132
172.20.0.14/32 0 0 0
172.20.0.240/32 0 0 0
192.168.1.0/24 0 0 0
-
see anything???
I'll try on 2.0.1…
