At 04:37 PM 12/21/2003 -0500, Kory Krofft wrote: [...]
If you make it through all this you are way to nice a guy. But I appreciate your help.:-)
No, just a fast reader. Anyway, the bulk of it was the Shorewall output, and that's highly structured, making it easy to find the relevant parts.
Now to the substance.
The LEAF router is, almost certainly, NOT the problem, as I pretty much suspected. The relevant packets are making it through in both directions. The connection attempt generates these packets in the filter::FORWARD chain:
5 208 eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0
3 168 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0
They meander through chains for awhile, but end up getting ACCEPTed by these rules --
Chain loc2dmz (1 references)
4 160 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110
Chain dmz2loc (1 references)
3 168 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
So the router routes everything it sees in the test, which appears to be an initial conenction from the client, some sort of response from the POP server, then a follow-up from the client
Here is what the connection looks like to the router --
tcp 6 118 TIME_WAIT src=192.168.1.1 dst=192.168.10.1 sport=2805 dport=110 src=192.168.10.1 dst=192.168.1.1 sport=110 dport=2805 [ASSURED] use=1
Now this part I don't actually know how to read, so perhaps someone more familiar with Shorewall can pop in here and say if this indicates a router problem (which I doubt) or just means that the router is waiting for something to use the connection. Specifically, I don't kow the meanings of the TIME_WAIT and ASSURED notations.
I don't know your setup well enough to tell you what is going on in the Shorewall DROP log, but since it involves ports 67 and 68, it has something to do with DHCP leases, not anything to do with POP3.
As to telnet, when you wrote --
Where can I get a telnet.lrp package? I have ssh running on the DMZ host but not telnet.
-- you misunderstood my (and Lynn's) suggestion. We were suggesting that you use a telnet client on your Windows host, or any convenient LAN host, to connect to port 110 (the POP3 port) on the LEAF host. You do this with (probably; I don't actually use the Windows telnet client, but this is how a Linux telnet client would do it):
telnet 192.168.10.1 110
Then enter the comands as I described them before. Here is an example from one of my Linux workstations to a Linux server running a POP3 server ... the commands I sent and the replies I got (which indicate a working POP3 connection, but an empty mailbox).
[EMAIL PROTECTED]:/home/ray$ telnet celine 110 Trying 192.168.1.23... Connected to celine.comarre.lan. Escape character is '^]'. +OK USER ray +OK PASS XXXXXXXX [edited] +OK LIST +OK . quit +OK Connection closed by foreign host.
So you do not need a telnet.lrp (actually, by custom, the server package would be telnetd.lrp) on the target system. Good thing, because I don't think it exists -- telnet is too insecure for regular use, though the client remains useful for these sorts of tests.
Last thing ... the tcpdump output you sent indicates that after the POP3 connection is initiated, the POP3 server is trying to do a reverse lookup on the source IP address. Several packets indicate this, the first being --
16:37:26.524013 192.168.10.1.59258 > 192.168.1.254.53: 28701+ PTR? 1.10.168.192.in-addr.arpa. (43) (DF)
The router responds with a "port unreachable" packet:
16:37:29.547086 192.168.10.254 > 192.168.10.1: icmp: 192.168.10.254 udp port 53 unreachable [tos 0xc0]
This certainly indicates some sort of a configuration error, but not knowing the details of your setup, I can;t say what that error is. It does make me guess that the POP3 server does not reply, after the initial reply, because it cannot do a lookup on the IP address. Or ... a blue-sky thought here ... how long do you wait before giving up? DNS failures can, in some cases, cause delays of up to 3 minutes in responses.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
