Hey, sorry it took me so long to respond.
Here is the output from netstat:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 1500 0 0
eth0
205.216.92.1 0.0.0.0 255.255.255.255 UH 1500 0 0
ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 1500 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 7168 0 0 lo
0.0.0.0 205.216.92.1 0.0.0.0 UG 1500 0 0
ppp0
Here is the output from ifconfig:
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:7168 Metric:1
RX packets:22806 errors:0 dropped:0 overruns:0 frame:0
TX packets:22806 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0 Link encap:Ethernet HWaddr 00:00:F8:23:41:BB
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:497537 errors:8 dropped:0 overruns:0 frame:8
TX packets:524991 errors:0 dropped:0 overruns:0 carrier:0
collisions:92258
Interrupt:15 Base address:0x8800
ppp0 Link encap:Point-to-Point Protocol
inet addr:208.134.96.35 P-t-P:205.216.92.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:42 errors:5 dropped:5 overruns:0 frame:0
TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
Memory:fffffc00036ec048-fffffc00036ecc14
Here is the output from /var/log/messages:
Mar 15 11:55:32 alpha pppd[11621]: Connect: ppp0 <--> /dev/modem
Mar 15 11:55:39 alpha pppd[11621]: Remote message: Login Succeeded
Mar 15 11:55:39 alpha pppd[11621]: local IP address 208.134.96.35
Mar 15 11:55:39 alpha pppd[11621]: remote IP address 205.216.92.1
Mar 15 11:59:43 alpha modprobe: can't locate module net-pf-4
Mar 15 11:59:43 alpha modprobe: can't locate module net-pf-5
Mar 15 11:59:47 alpha dhcpd: DHCPREQUEST for 192.168.1.101 from
00:60:97:ce:b5:80 via eth0
Mar 15 11:59:47 alpha dhcpd: DHCPACK on 192.168.1.101 to 00:60:97:ce:b5:80
via eth0
Mar 15 12:01:01 alpha PAM_pwdb[11668]: (su) session opened for user news by
(uid=9)
Mar 15 12:01:02 alpha PAM_pwdb[11668]: (su) session closed for user news
I do not have syslogd running and I am running ppp-2.3.5-1.
Thanks!!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of David A. Ranch
Sent: Tuesday, March 09, 1999 2:09 PM
To: David Dionne; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Masq] Quicken, Quickbooks updates or https
Well, your timeouts are fine:
>#added by David Dionne#
>ipfwadm -F -p deny
>ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
>ipfwadm -M -s 7200 10 60
>for x in /lib/modules/`uname -r`/ipv4/ip_masq_*; do
>/sbin/modprobe `basename $x`
>done
>route add -host 255.255.255.255 eth0
>#end addition by David Dionne#
So, looking through your TCPDUMP, something looks a-miss. Though I don't
understand all of the sections, the following sticks out to me:
--
18:04:13.732422 206.154.102.241.http > 192.168.1.101.1134: .
33722:35182(1460)
ack 471 win 61320 (DF)
18:04:13.904297 208.134.96.33.64917 > 206.154.102.241.http: . ack 35182 win
8760 (DF)
18:04:15.092773 206.154.102.241.http > 208.134.96.33.64917: .
35182:36642(1460)
ack 470 win 61320 (DF)
18:04:16.469727 206.154.102.241.http > 208.134.96.33.64917: .
36642:38102(1460)
ack 470 win 61320 (DF)
18:04:16.936523 206.154.102.241.http > 208.134.96.33.64917: .
38102:39562(1460)
ack 470 win 61320 (DF)
18:04:17.488281 206.154.102.241.http > 208.134.96.33.64917: .
39562:41022(1460)
ack 470 win 61320 (DF)
--
Notice that the data was running fine with ACK # 471. Then, for some
reason,
it went to #470 and re-tried that four times without success. But, later,
it
looks like ack #471 finally came back again.. and then #470 worked again.
--
18:04:21.903320 206.154.102.241.http > 192.168.1.101.1134: .
35182:36642(1460)
ack 471 win 61320 (DF)
18:04:22.107422 208.134.96.33.64917 > 206.154.102.241.http: . ack 36642 win
8760 (DF)
18:04:23.664063 206.154.102.241.http > 208.134.96.33.64917: .
36642:38102(1460)
ack 470 win 61320 (DF)
18:05:04.783203 206.154.102.241.http > 192.168.1.101.1134: .
36642:38102(1460)
ack 471 win 61320 (DF)
18:05:04.983398 208.134.96.33.64917 > 206.154.102.241.http: . ack 38102 win
8760 (DF)
18:05:05.913086 206.154.102.241.http > 192.168.1.101.1134: .
38102:39562(1460)
ack 471 win 61320 (DF)
18:05:06.077148 208.134.96.33.64917 > 206.154.102.241.http: . ack 39562 win
8760 (DF)
18:05:07.125977 206.154.102.241.http > 208.134.96.33.64917: .
39562:41022(1460)
ack 470 win 61320 (DF)
18:05:07.677734 206.154.102.241.http > 208.134.96.33.64917: .
41022:42482(1460)
ack 470 win 61320 (DF)
--
Again.. it happens here too.
I'm just curious, send me a copy of the following just after Quicken fails.
Also.. after quicken fails, is there anything interesting at the end of
your /var/log/syslog and /var/log/messages files?
/bin/netstat -rn
/sbin/ifconfig
One last thing.. what version of PPPd are you running?
--David
>
>
>
>
>Thanks again!
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]] On Behalf Of Gary S. Mackay
>Sent: Monday, March 08, 1999 9:10 PM
>To: David A. Ranch
>Cc: David Dionne; [EMAIL PROTECTED]
>Subject: Re: [Masq] Quicken, Quickbooks updates or https
>
>
>Just a guess, but I think the pm1-17 entry is the Lucent PortMaster he
>dialed into. I show the same type of entries in my logs and I know my
>ISP uses them.
>
>"David A. Ranch" wrote:
>>
>> >The download then fails after about 90 sec.
>>
>> Are you setting any timeouts in your rc.firewall ruleset? If not,
>> try doing that first. Its described in TrinityOS - Section 10.
>>
>> >Why in the second dump does the far end send packets to my windows
>machine
>> >(192.168.1.101), shouldn't that be behind the ipmasq?
>>
>> First, in your tcpdump,
>>
>> 1. onlpatch.quicken.com.http - This must be Intuit's update server
>> 2. supermega.little.net.3516 - What is this server?
>> Is this your 192.168.1.101 server?
>> 3. pm1-17.ro.com.64583 - This must be your Linux box
>>
>> What is #2??? The reason being:
>>
>> --
>> 23:27:48.751953 onlpatch.quicken.com.http > supermega.little.net.3516: .
>> 141:1601(1460) ack 471 win 61320 (DF)
>> 23:27:48.914063 pm1-17.ro.com.64583 > onlpatch.quicken.com.http: . ack
>1601 win
>> 8760 (DF)
>> --
>>
>> Thats an odd traffic flow.
>>
>> --David
>>
>.--------------------------------------------------------------------------
-
>-.
>> | David A. Ranch - Linux/Networking/PC hardware
>[EMAIL PROTECTED] |
>>
> ----!
>> `----- For more detailed info, see
>http://www.ecst.csuchico.edu/~dranch -----'
>>
>> _______________________________________________
>> Masq maillist - [EMAIL PROTECTED]
>> http://tiffany.indyramp.com/mailman/listinfo/masq
>> Admin requests can be handled by web (above) or
>[EMAIL PROTECTED]
>
>--
>Edison Information Technologies
>P.O. Box 554
>Milan, OH 44846-0554
>419.499.7040
>[EMAIL PROTECTED]
>--
>
>
>_______________________________________________
>Masq maillist - [EMAIL PROTECTED]
>http://tiffany.indyramp.com/mailman/listinfo/masq
>Admin requests can be handled by web (above) or
>[EMAIL PROTECTED]
>
>Attachment Converted: "c:\program files\eudora3-ecst\attach\quicken2.tcp"
>
.---------------------------------------------------------------------------
-.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED]
|
!---- ---
-!
`----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or
[EMAIL PROTECTED]
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
