NAT question (hair pulling will begin in 3 minutes)
Phil Buckley
phil at 1918.com
Fri Feb 8 17:52:11 EST 2002
Well, still having the same problem, I do see some info with tcpdump, but
I'm at a loss as to what most of it means...
I've clipped a couple of lines and attached them at the bottom of the
message...
I did make the following changes...
> This looks sane, but not the way I'd do it. I like to make things as
>specific as possible, so I'd write the rdr line as:
>rdr on ep0 from any to 67.105.157.190 port 80 -> 192.168.1.80 port 80
agreed, changed...
>> Just in case I've screwed up my packet filtering I'll include it
here...
>> (/etc/pf.conf)
>>>snip<<
>> # allow others to use http and https
>> pass in quick on ep0 inet proto tcp from any to any port = 22 flags
S/SA
>> pass in quick on ep0 inet proto tcp from any to any port = 80 flags
S/SA
>> pass in quick on ep0 inet proto tcp from any to any port = 443 flags
S/SA
>
> I didn't see any "block out" rules, but I'd still add a "keep state"
to
>these rules. If I'm remembering correctly, you're ONLY allowing SYN
>packets in to your web server, and the rest of the connection is
blocked.
>Even though you have a "pass out...keep state" rule later, I don't think
>that will match these connections, as PF will only create a state entry
>when it sees the whole three-way handshake. You might also want to lock
>these rules down to only the specific internal hosts that you intend to
>connect to remotely.
I agree again, and added keep state to the end of those three lines...
running tcpdump -i pflog0 and trying to open 67.105.157.190 produces NO
logging... surprising I thought, so I decided to run a more general
tcpdump,
here's the tcpdump output from:
(I'm doing this remotely from the address h00a0cc577ea7.ne.mediaone.net)
tcpdump -i ep0 port 80 (external address)
tcpdump: listening on ep0
17:39:28.067834 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.068345 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.068512 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.068737 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.566861 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.567253 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:28.567334 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:28.567554 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.065648 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:29.066082 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
17:39:29.066200 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.066419 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
and tcpdump -i rl0 port 80 (internal address)
tcpdump: listening on rl0
17:39:28.067891 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:28.068221 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:28.068550 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.068849 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 162852959 win 0 (DF)
17:39:28.566915 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:28.567129 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:28.567372 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:28.567666 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.065710 h00a0cc577ea7.ne.mediaone.net.62459 > firewall..www: S
162852958:162852958(0) win 16384 <mss 1460,nop,n
op,sackOK> (DF)
17:39:29.065961 h00a0cc577ea7.ne.mediaone.net.62459 > 192.168.1.80.www: S
162852958:162852958(0) win 16384 <mss 1460,no
p,nop,sackOK> (DF)
17:39:29.066239 192.168.1.80.www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
17:39:29.066533 firewall..www > h00a0cc577ea7.ne.mediaone.net.62459: R
0:0(0) ack 1 win 0 (DF)
More information about the Discuss
mailing list