ipf/ipnat problem
HI, Problem with ipf/ipnat. (PC1: 192.168.80.15) \\ (fbsd vr0 out if: 192.168.80.4) || (fbsd sis0 in if: 7.96.10.13) // (Internal LAN: 7.96.10.x) // (PC2: 7.96.10.200 - Telnet running) (PC3: 7.96.10.201 - Wev Srv running) IPF Rules: -- The same of handbook 25.5.13 Inclusive Rule Set Example but adjusted to PC2, PC3 Services. #Allow in Telnet from public LAN to fBSD Box pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state #Allow in SSH from public LAN to PC2 pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state #Allow in HTTP from public LAN to PC3 # pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state IPNAT Rules (vr = out if): -- map vr0 7.96.10.0/24 -> 192.168.80.4/32 rdr vr0 192.168.80.4/32 port 23 -> 7.96.10.200 port 23 rdr vr0 192.168.80.4/32 port 80 -> 7.96.10.201 port 80 >From Internal LAN I've access to any services on public LAN. >From public LAN I've access to fBSD' ssh but haven't access to internal telnet, web server. Nevertheless I get those statistics: ipfstat -t: --- Source IP Destination IP ST PR #pkts #bytes ttl 192.168.80.15,3513 192.168.80.4,22 4/4 tcp 107 12141 119:59:59 192.168.80.15,3512 7.96.10.200,23 2/0 tcp6 288 2:12 192.168.80.15,3510 7.96.10.201,80 2/0 tcp6 288 2:00 ipnat -l: - List of active sessions: RDR 7.96.10.200 23 <- -> 192.168.80.4 23 [192.168.80.15 3512] RDR 7.96.10.201 80 <- -> 192.168.80.4 80 [192.168.80.15 3510] What clould be happening? Thanks... Efren Bravo. __ Renovamos el Correo Yahoo! Nuevos servicios, más seguridad http://correo.yahoo.es ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: FreeBSD 4.6 and funky IPF/IPNat problem.
After doing some research, I found out that it is the rfc1323 option which causes this problem. If we disable the net.inet.tcp.rfc1323 the problems dissapear. Anyone has an idea why IPSec causes the rfc1323 extended connections to stall ? Best Regards Kirill > Hi, > > We have a quite wierd problem which I would like to find an answer for, > here is a schema of the network: > > > < Internet > !1 Firewall A !2 <- Intranet segment 1 -> > | !3 | > | | | > Host A |Host B > | > Leased Line/IPSec Tunnel > | > | > | > !1 > Firewall B !2 <- Intranet Segment 2 -> > | > | >Host C > > Firewalls A/B and Host B are running FreeBSD 4.6 > Host C is a dual boot machine with FreeBSD 4.6 and W2K > > Firewall A performs IPNat for all "inside" packets leaving trough the > "outside" !1 interface. The ipnat statement is: > > map dc0 from 192.168.0.0/16 to any -> 0/32 > > What works: > > Host B (Any OS) -> Host A > Host C (NT) -> Host A > > What does not work: > > Host C (FreeBSD) -> Host A > > After a period of testing I have found out that by some unknown reason > IPNat on Firewall A will flatly refuse to NAT packets which come from > IPSec Tunnel and go to Internet and if the communicating host is > FreeBSD. Not only that, but IPFilter will will also fail to keep state > of those connections which went trough it. This is even more confusing > because we use DHCP on Segment 2 and it delivers the same IP to the Host > C regardless of its OS, when it is NT, everything works like a charm but > when it is FreeBSD connections fail. This is a really funky problem I > have no explanation for, did anyone ever seen something like that before > ? > > To add more to confusion: We also have an IRIX host on the Segment 2 and > its packets get natted without any problems. > > Best Regards > > Kirill > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
FreeBSD 4.6 and funky IPF/IPNat problem.
Hi, We have a quite wierd problem which I would like to find an answer for, here is a schema of the network: < Internet > !1 Firewall A !2 <- Intranet segment 1 -> | !3 | | | | Host A |Host B | Leased Line/IPSec Tunnel | | | !1 Firewall B !2 <- Intranet Segment 2 -> | | Host C Firewalls A/B and Host B are running FreeBSD 4.6 Host C is a dual boot machine with FreeBSD 4.6 and W2K Firewall A performs IPNat for all "inside" packets leaving trough the "outside" !1 interface. The ipnat statement is: map dc0 from 192.168.0.0/16 to any -> 0/32 What works: Host B (Any OS) -> Host A Host C (NT) -> Host A What does not work: Host C (FreeBSD) -> Host A After a period of testing I have found out that by some unknown reason IPNat on Firewall A will flatly refuse to NAT packets which come from IPSec Tunnel and go to Internet and if the communicating host is FreeBSD. Not only that, but IPFilter will will also fail to keep state of those connections which went trough it. This is even more confusing because we use DHCP on Segment 2 and it delivers the same IP to the Host C regardless of its OS, when it is NT, everything works like a charm but when it is FreeBSD connections fail. This is a really funky problem I have no explanation for, did anyone ever seen something like that before ? To add more to confusion: We also have an IRIX host on the Segment 2 and its packets get natted without any problems. Best Regards Kirill To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
