[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: map + rdr: bad ip checksum?
From: Bernhard Schneck <Bernhard_Schneck () GeNUA ! DE>
Date: 1997-03-26 13:18:07
[Download RAW message or body]
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1458.859382287.1@auryn.genua.de>
Hello,
we're using ipfilter 3.1.10 both for filtering, address translation
and service redirection on a Solaris2.5.1 box (running on an Ultra).
This machine separates the internal network from our firewall (Raptor
Eagle):
+-------+ +-------+ +----------+
Internet ---+ Cisco +-----+ Eagle +-----+ ipfilter +--- Intranet
+-------+ +-------+ +----------+
Address translation is used to map ``bad'' internal addresses
(several more or less randomly allocated Class B nets in the 128-160
range) to ``good'' internal addresses (from RFC1918: 192.168.253.x).
Service redirection is used to hide the firewall's address from
internal systems: Eg. Compu$erve (L)users point their wincim to
port 4144 on the ipfilter box, which should forward these requests
to eagle:4144.
(An excerpt from the ipnat config file is appended below)
As soon as we turn on the ``portmap'' feature to map many internal
boxes to a single address, we get
Internal warning: IP checksum error 192.168.253.254->123.123.123.123
on the Eagle (123.123.123.123) which should be the real destination of
this packet (as far as the ipfilter system is concerned -- of course
the Eagle passes that stuff on to the real Compu-$erver using GSP)
Without portmapping everything is fine.
Are we trying to do A Bad Thing (TM)?
Thanks,
\Bernhard.
PS: Yes, we could do this at the application level using netcat or
plug-gw or whatever. But we already have ipfilter on this box
and we'd like to keep it as simple as possible.
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1458.859382287.2@auryn.genua.de>
map le1 129.0.0.0/8 -> 192.168.253.254/32 portmap tcp 1025:65000
map le1 129.0.0.0/8 -> 192.168.253.254/32
# redirect Compu$erve
rdr le0 129.0.1.104/32 port 4144 -> 123.123.123.123 port 4144
------- =_aaaaaaaaaa0--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic