At 12:33 PM 11/16/02 -0500, billy jacobs wrote:
OK, what I thought would be a simple autofw problem turns out to be much more in-depth than I thought it would be. My slip up is that I assumed that I could forward based on the source port, and not the destination.Without seeing the documentation you refer to here, I'd be reluctant to guess how those others are using the term "forward". But in a Linux/LEAF context, the unqualified instruction "forward 6000-6999/udp" would invariably refer to destination ports. Since I don't know how Linksys or similar devices handle DMZs, that info gices me no added clues.
You are absolutely correct -- I am "plowing new ground" here, because there is very limited information on exactly how this service works. From all the documentation I found on the web (almost all from end-users), they are all using linksys routers (or similar devices), and their end-all answer is to "put it on the DMZ". I was trying to avoid setting up any kind of DMZ setup off my router. The only IP-specific (and not router model specific) information I have found is to simply forward 6000-6999/udp to the PS2. Of course, they never mention if thats a source port or destination port, but going by the tcpdump trace, I can only assume its a source 6000-6999/udp.
As to the tcpdump trace, I am puzzled that it shows *no* outgoing traffic either from the NAT ports (which "\.6..." should grep quite nicely, but "\.6... " would miss -- which did you really use?) or to any remote 6000-6999 ports (which either regex should match). You might want to look at less-filtered tcpdump output to get a better understanding of what is going on.
Again, lack of techincal specifics on how this service works is holding me back.Welcome to Linux. Not that this is Linux's fault, but people who provide information tend to assume that Windows is the lingua franca of computing, so often do not provide answers in forms useful to Linux users or developers. Teasing out the relevant facts is a common skill among Linux developers.
You were correct to assume that my address is the rr.com address. I apologize for not going much more in depth when I started out this thread, because as I said, I thought it would be much simpler (incorrect ipchains syntax, for example). I was actually a little unsure about just posting only the "relevant" parts of network.conf and ipfilter.conf. From reading prior posts, at least for me, its very easy to get lost in all of the extra information presented when people post complete conf files. So that is my fault for not giving at least a little more detail on my setup.This is worth a comment, because it is a misguided reason for refraining from posting the necessary details, and others may feel the way you do. Detail may confuse inexperienced users of LEAF distros, but it helps experienced users and developers. You're more likely to get help from an experienced LEAF user or developer than a beginner (simply because experienced users and developers know more), so you want to include what we need, even if seeing it from others causes you to "get lost". This is especially true when the omitted detail forces us to guess about which half of a connection pair is your end, which the remote end.
The SR FAQ is a good (not perfect, but good) starting guide here, and you'll notice that it asks for output of commands, NOT config files.
I assume with iptables, the --source-port and --dport would be the keys to doing what I am trying to do. They would allow me to specify packets which match the source ports I am looking at and forward them to an internal host. IPChains/IPMasqadm don't have this functionality built in, right?Yes to the iptables part ... the PREROUTING table offers much more flexibility than prior firewalling implementations had. I think so, with respect to the ipchains/ipmasqadm part (at least I don't know how to do it with ipchains/ipmasqadm).
This part is only a guess ... but you may be running into problems involving which side initiates the connection. If your PS2 initiates traffic from port 6000, that conenction will get NAT'd. If the remote end initiates a connection to port 6000, it will be forwarded to the PS2. You need (I think) to make ALL traffic from PS2 port 6000 look like it is coming from router port 6000, not router port 61XXX. I haven't actually tried to do this with the PREROUTING table, but I believe it can be done ... with the typical server restriction that such a setup can connect only a single PS2 to the Internet.
It sounds like I will have to take this discussion off-line and do some research on my own. I appreciate all the help and explanations you guys have given.Good luck. Keep us informed; this is likely to come up again.
[old stuff deleted]
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
