RE: ipmasqadm portfw

2002-01-13 Thread Jeremy L. Gaddis 
You need to say Yes to Network Firewalls, IP: firewalling,
IP: masquerading and IP: masquerading special modules support.

You also need to say Yes to Prompt for development and/or
incomplete code/drivers if you haven't already.

j.

--
Jeremy L. Gaddis [EMAIL PROTECTED]

-Original Message-
From: Jonathan Daugherty [mailto:[EMAIL PROTECTED] Behalf Of
Jonathan Daugherty
Sent: Sunday, January 13, 2002 9:06 PM
To: debian-firewall@lists.debian.org
Subject: ipmasqadm portfw


When I run this --

ipmasqadm portfw -f

I get

portfw: setsockopt failed: Invalid argument

I have ipmasqing turned on in my kernel (2.2.20) and I have all three fw
modules (autofw, mfw, and portfw) loaded.  Any ideas?

--

 Jonathan Daugherty
 Dept. of Computer Science / Engineering Support, EITS

 See http://www.debian.org/Bugs/Reporting when submitting bugs --
 to any forum.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]

Re: ipmasqadm portfw

2001-09-05 Thread Jens Schuessler 
At 16:04 05.09.01, you wrote:
# Send HTTP traffic to web server
/usr/sbin/ipmasqadm portfw -a -P tcp -L $localip 80 -R $webserver 80

$ nmap localhost

Port   State   Service
22/tcp openssh
25/tcp opensmtp

Shouldn't I see port 80 in this scan?
No, cause you don't provide any service on localhost:80. There's no daemon 
listening at port 80 on this machine.
If a packet comes from outside to your $localip:80 it'll be forwarded to 
the ipadress of your webserver.
I've tried your settings and it'S the same result here.

#nmap localhost
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
PortState   Protocol  Service
25  opentcpsmtp
113 opentcpauth
#nmap $localip (eth0)
Interesting ports on jupiter.schnellinger.dyndns.org (192.168.10.2):
PortState   Protocol  Service
22  opentcpssh
25  opentcpsmtp
113 opentcpauth
Greetings
Jens

RE: ipmasqadm portfw

2001-05-22 Thread T. Schlenkhoff 
Hi Gabriele,

if I get this right - this could be your solution. Cory Petkovsek described
it on 05/09/2001 here on list. I´ve cited his mail:

On Wed, May 09, 2001 at 11:02:07AM -0300, Jeronimo Pellegrini wrote:

 masquerading and port forwarding (we want connections
 to ports 25 and 80 forwarded to our mail and web server,
 besides some other things).

 It mostly works as it is now, except for one problem:

 From the outside world, everything works perfectly,
 and ports are forwarded:

 [EMAIL PROTECTED]:~$ telnet xxx.xxx.xxx.xxx 80
 Trying xxx.xxx.xxx.xxx...
 Connected to xxx.xxx.xxx.xxx.
 Escape character is '^]'.

Yes this is connected (see connected to...)



 from the internal network (10.10.10.0/8), it seems
 that ports are being forwarded, but after the connection
 is established, nothing else happens:

 [EMAIL PROTECTED]:~$ telnet firewall 80
 Trying xxx.xxx.xxx.xxx...
This did not connect.  This is shows your packets went unsanswered (or the
answer wasn't recognized.  read on).  You have not received any thing coming
back, such as a reject packet.  On any non-firewall computer try telnet
localhost 10 or some other port that is closed.  You won't see trying
  You will see trying .: connection refused.  This means you got
a packet back saying we are closed.

snip

I think the problem is that your workstation on a 10.x.x.x connects to the
firewall, which NATs the packet and reroutes it to a webserver on a 10.x.x.x
network. Unfortunately for you, the workstation and the webserver are on the
same network.

Juno = 10.120
webserver = 10.107
firewall = 10.101

juno: connect to firewall  (10.120 -- 10.101)
firewall: dnat to www (10.120 -- 10.107)
juno: waiting for a packet back from firewall --over
www: response packets (10.107 -- 10.120)
juno: what are these packets from www?!?  I'm dropping them
juno: waiting for a packet back from firewall --over

The problem is that www is not routing the packets back from whence they
came, thus allowing the firewall to un-DNAT them.  The webserver sees
packets coming from juno for itself, so it responds to them directly.  You
have spoofed your own packets, and have faked out your own servers.  ;)

Possible solutions?
- Put your servers on a different subnet so that all traffic to the server
must be routed through your firewall (probably not a good idea for
performance).
- What you need is to both DNAT and SNAT a packet, but I don't know if you
can do both at once.

Sorry, I don't have an answer for how to fix it, but perhaps this will spark
someone else's comment.

Cory