BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT question (hair pulling will begin in 3 minutes)

Subject: NAT question (hair pulling will begin in 3 minutes)
From: phil at 1918.com (Phil Buckley)
Date: Fri, 08 Feb 2002 17:52:11 -0500
In-reply-to: <Pine.LNX.4.44.0202081628520.23248-100000@maybe.nexttime.com>
References: <Pine.LNX.4.44.0202081628520.23248-100000@maybe.nexttime.com>

Well, still having the same problem, I do see some info with tcpdump, but
I'm at a loss as to what most of it means...
I've clipped a couple of lines and attached them at the bottom of the
message...

I did make the following changes...

>   This looks sane, but not the way I'd do it.  I like to make things as

>specific as possible, so I'd write the rdr line as:
>rdr on ep0 from any to 67.105.157.190 port 80 -> 192.168.1.80 port 80

agreed, changed...

>> Just in case I've screwed up my packet filtering I'll include it
here...
>> (/etc/pf.conf)
>>>snip<<
>> # allow others to use http and https
>> pass in quick on ep0 inet proto tcp from any to any port = 22 flags
S/SA
>> pass in quick on ep0 inet proto tcp from any to any port = 80 flags
S/SA
>> pass in quick on ep0 inet proto tcp from any to any port = 443 flags
S/SA
>
>   I didn't see any "block out" rules, but I'd still add a "keep state"
to
>these rules.  If I'm remembering correctly, you're ONLY allowing SYN
>packets in to your web server, and the rest of the connection is
blocked.  
>Even though you have a "pass out...keep state" rule later, I don't think
>that will match these connections, as PF will only create a state entry
>when it sees the whole three-way handshake.  You might also want to lock
>these rules down to only the specific internal hosts that you intend to
>connect to remotely.

I agree again, and added keep state to the end of those three lines...

running tcpdump -i pflog0 and trying to open 67.105.157.190 produces NO
logging... surprising I thought, so I decided to run a more general
tcpdump,
here's the tcpdump output from:
(I'm doing this remotely from the address h00a0cc577ea7.ne.mediaone.net)

tcpdump -i ep0 port 80 (external address)

tcpdump: listening on ep0
17:39:28.067834 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.068345 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.068512 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.068737 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.566861 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.567253 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.567334 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:28.567554 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.065648 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:29.066082 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:29.066200 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.066419 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)

and  tcpdump -i rl0 port 80 (internal address)

tcpdump: listening on rl0
17:39:28.067891 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:28.068221 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:28.068550 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.068849 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.566915 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:28.567129 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:28.567372 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:28.567666 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.065710 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:29.065961 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:29.066239 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.066533 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)

References:
- NAT question (hair pulling will begin in 3 minutes)
  - From: mbrodeur at NextTime.com (Matthew J. Brodeur)

Prev by Date: NAT question (hair pulling will begin in 3 minutes)
Next by Date: Linux newbie (fwd)
Previous by thread: NAT question (hair pulling will begin in 3 minutes)
Next by thread: portsenty + openbsd
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org