Re: perceived strange behavior
I got a tcp dump of this occurring if anyone is interested in looking, I have not really had a chance to look at it yet It's in binary format. There was a flurry of ICMP going from this machine at the time also, I forgot to ask him to turn off everything else. http://www.qosbox.com/tests/aim.dump.tgz nb On Sep 10, 2004, at 6:57 AM, Jason Opperisano wrote: On Fri, 2004-09-10 at 03:11, Ryan McBride wrote: On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote: all use TCP Port 5190. all three connections appear to stay open once connected. the simple solution appears to be to set a NAT rule that only uses 1 translation IP for connections on TCP Port 5190. Or use the 'sticky-address' keyword. yes--precisely. the OP on "other firewall mailing list" was essentially asking for pf's sticky-address feature. forgot where i was posting there for second... -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= ~ I hate it when my foot falls asleep during the day cause that means it's going to be up all night. -- Steven Wright =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= ~
Re: perceived strange behavior
On Fri, 2004-09-10 at 03:11, Ryan McBride wrote: > On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote: > > all use TCP Port 5190. all three connections appear to stay open once > > connected. the simple solution appears to be to set a NAT rule that > > only uses 1 translation IP for connections on TCP Port 5190. > > Or use the 'sticky-address' keyword. yes--precisely. the OP on "other firewall mailing list" was essentially asking for pf's sticky-address feature. forgot where i was posting there for second... -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ I hate it when my foot falls asleep during the day cause that means it's going to be up all night. -- Steven Wright =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
Re: perceived strange behavior
On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote: > all use TCP Port 5190. all three connections appear to stay open once > connected. the simple solution appears to be to set a NAT rule that > only uses 1 translation IP for connections on TCP Port 5190. Or use the 'sticky-address' keyword. I'm actually only using 1 NAT address, although there are 2 addresses that are binatted (other than the 1 nat address) I'll see if I can get them to put it back in place to get some tcpdumps. It's very interesting, I have many, many more of these types of boxes doing similar jobs and this one is the only one having this issue. The only differences are that this one is 3.5 and the others are either 3.3-stable or 3.4-stable. This box is also substantially newer hardware.
Re: perceived strange behavior
On Thu, Sep 09, 2004 at 08:40:23PM -0400, Jason Opperisano wrote: > all use TCP Port 5190. all three connections appear to stay open once > connected. the simple solution appears to be to set a NAT rule that > only uses 1 translation IP for connections on TCP Port 5190. Or use the 'sticky-address' keyword.
Re: perceived strange behavior
On Thu, 2004-09-09 at 19:49, Nick Buraglio wrote: > I built an openbsd firewall for a group of people that I do some > consulting for from time to time to go in an apartment building that > serves about 150 - 175 college students. Overall the machine is doing a > stellar job doing NAT as well as some basic priq QoS. The box is > running vanilla 3.5, no custom kernel yet, no over the top hardware. > Specs are p4 2.4ghz(I believe) intel mobo, rl chipset ethernet card and > onboard fxp chipset card. > I'm seeing some strange behavior in one service though and I cannot > seem to figure out why. Everything is working, as I said, except some > users are unable to use AIM. Unfortunately I was unable to get any > tcpdump information before they took the box offline, but from > descriptions of the helpdesk people it only affects some people and I > can find no pattern as to who. Has anyone seen similar behavior or am > I looking in the wrong place. I saw no one else having similar issues > when checking through the archives, and I know that probably the only > way to tell is to get some traces from a user having issues, but I > figured I'd ask. > I can provide as much information as needed if anyone wants it. If > not, thanks for reading. there was just a discussion about this on another mailing list. by chance are you using multiple IP's for outbound NAT? it seems that AOL has changed it's login process such that the client makes multiple connections, and if the IP the client is coming from changes during this process--the "connection" fails. i just tcpdumped a login and i saw three connections: 1) AIM sign-on server (64.12.161.185) 2) AIM Generic Service server (64.12.24.65) 3) AOL Instant Messenger server (205.188.176.90) all use TCP Port 5190. all three connections appear to stay open once connected. the simple solution appears to be to set a NAT rule that only uses 1 translation IP for connections on TCP Port 5190. -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ There are two problems with a major hangover. You feel like you are going to die and you're afraid that you won't. =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
perceived strange behavior
I built an openbsd firewall for a group of people that I do some consulting for from time to time to go in an apartment building that serves about 150 - 175 college students. Overall the machine is doing a stellar job doing NAT as well as some basic priq QoS. The box is running vanilla 3.5, no custom kernel yet, no over the top hardware. Specs are p4 2.4ghz(I believe) intel mobo, rl chipset ethernet card and onboard fxp chipset card. I'm seeing some strange behavior in one service though and I cannot seem to figure out why. Everything is working, as I said, except some users are unable to use AIM. Unfortunately I was unable to get any tcpdump information before they took the box offline, but from descriptions of the helpdesk people it only affects some people and I can find no pattern as to who. Has anyone seen similar behavior or am I looking in the wrong place. I saw no one else having similar issues when checking through the archives, and I know that probably the only way to tell is to get some traces from a user having issues, but I figured I'd ask. I can provide as much information as needed if anyone wants it. If not, thanks for reading. nb