Hi Nigel,
The SSL certificate itself does not have any part in this problem as it
never gets that far in the process. As I wrote previously, the TCP
handshake never completes -- e.g. netstat co. never see a connection
in any kind of state. I did try the suggested openssl command as well
as
On 11 Jul 2011 at 20:59, Paul Suh wrote:
On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote:
Environment:
- OpenBSD 4.9, stock (base) apache with self-signed certificate
- behind a SOHO NAT router (with relevant in-bound redirects)
Problem: non-local SSL connections never complete
On Jul 12, 2011, at 9:35 PM, Jacob L. Leifman wrote:
FWIW, I'm guessing that the problem is at the router. The packet trace is
showing a TCP SYN coming from the client, followed correctly by a SYN-ACK
going back from the server. The client should send an ACK packet back, but
instead it waits
Environment:
- OpenBSD 4.9, stock (base) apache with self-signed certificate
- behind a SOHO NAT router (with relevant in-bound redirects)
Problem: non-local SSL connections never complete the handshake
(verified while monitoring the interface with tcpdump, see below)
During troubleshooting I
Hi,
One guess would be the SSL certificate is for your internal hostname,
not your external hostname. Those connecting to the external hostname,
reject the connection because the hostname doesn't match the
certificate. To use both internal and external names you have to create
certificate
On Jul 11, 2011, at 5:57 PM, Jacob L. Leifman wrote:
Environment:
- OpenBSD 4.9, stock (base) apache with self-signed certificate
- behind a SOHO NAT router (with relevant in-bound redirects)
Problem: non-local SSL connections never complete the handshake
(verified while monitoring the
Just an update.
It seems source-hash, for whatever reason, simply doesn't work for me. I
did find an older post that exhibits a similar issue:
http://www.monkey.org/openbsd/archive/bugs/0403/msg00211.html
Round-robin works fine, but source-hash will always leave some systems
blind to the
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if - $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if - $ext_if
or
nat on $ext_if from
Granted I'm running 3.6 but I have a setup very similar to you.
The external NATs of the servers are not in the natpool30 (1.2.3.0/30)
network.
In my experience, any protocols where the server will generate a
separate connection back to the client (like ftp) will not work with NAT
pools.
#Port
Chris Smith wrote:
OpenBSD 3.7
Some hosts will experience poor to seemingly no Internet access when
using NAT address pools - web sites time out, even pings to remote
addresses fail.
Using:
nat on $ext_if from !$ext_if - $ext_if:0
works fine.
Using:
nat on $ext_if from !$ext_if - $ext_if
On Friday 16 September 2005 04:20 pm, Raymond Lillard wrote:
First off, it's a bad idea to broadcast your real IP numbers
in a public place.
I had always thought that but then I read this article:
http://homepages.tesco.net/~J.deBoynePollard/FGA/dont-obscure-your-dns-data.html
It seems to make
On Friday 16 September 2005 04:13 pm, Ryan Puckett wrote:
In my experience, any protocols where the server will generate a
separate connection back to the client (like ftp) will not work with
NAT pools.
Even passive ftp?
nat on $ext_if inet from internal-subnets to any port
$NATPoolPortsTCP
[...]
Ext = tun0# Device an dem das Internet angeschlossen ist
Int = xl0 # Device an dem das interne Netz haengt
IntNet = 192.168.0.0/16 # Adressraum des internen Netzes
RouterIP = 192.168.0.1 # IP Adresse des Routers
Int2 = ath0
IntNet2 = 10.10.10.0/24
RouterIP2 =
[...]
Ext = tun0# Device an dem das Internet angeschlossen ist
Int = xl0 # Device an dem das interne Netz haengt
IntNet = 192.168.0.0/16 # Adressraum des internen Netzes
RouterIP = 192.168.0.1 # IP Adresse des Routers
Int2 = ath0
IntNet2 = 10.10.10.0/24
RouterIP2 =
[EMAIL PROTECTED] wrote:
[...]
SNAP
Yes I tried that also.
$Int2:network was a hint from the #pf - IRC Channel at Freenode.
Kind regards,
Sebastian
Well since you said you tried with minimal pf.conf as well and it didn't
work, you may want to try this minimal conf which does
hmm, on Wed, May 04, 2005 at 11:51:37PM +0200, -f said that
hi there,
i have just upgraded our firewall to -current (2nd may).
it seems that nat stopped working..
i see packets arriving on $int_if from the inside network,
but they are not leaving on $ext_if and/or nothing is arriving
on
16 matches
Mail list logo