'map + rdr: bad ip checksum?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    map + rdr: bad ip checksum?
From:       Bernhard Schneck <Bernhard_Schneck () GeNUA ! DE>
Date:       1997-03-26 13:18:07
[Download RAW message or body]

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1458.859382287.1@auryn.genua.de>

Hello,

we're using ipfilter 3.1.10 both for filtering, address translation
and service redirection on a Solaris2.5.1 box (running on an Ultra).
This machine separates the internal network from our firewall (Raptor
Eagle):

               +-------+     +-------+     +----------+
   Internet ---+ Cisco +-----+ Eagle +-----+ ipfilter +--- Intranet
               +-------+     +-------+     +----------+

Address translation is used to map ``bad'' internal addresses
(several more or less randomly allocated Class B nets in the 128-160
range) to ``good'' internal addresses (from RFC1918: 192.168.253.x).

Service redirection is used to hide the firewall's address from
internal systems:  Eg. Compu$erve (L)users point their wincim to
port 4144 on the ipfilter box, which should forward these requests
to eagle:4144.

(An excerpt from the ipnat config file is appended below)

As soon as we turn on the ``portmap'' feature to map many internal
boxes to a single address, we get

	Internal warning: IP checksum error 192.168.253.254->123.123.123.123

on the Eagle (123.123.123.123) which should be the real destination of 
this packet (as far as the ipfilter system is concerned -- of course
the Eagle passes that stuff on to the real Compu-$erver using GSP)
Without portmapping everything is fine.

Are we trying to do A Bad Thing (TM)?

Thanks,

\Bernhard.

PS: Yes, we could do this at the application level using netcat or
    plug-gw or whatever.  But we already have ipfilter on this box
    and we'd like to keep it as simple as possible.

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1458.859382287.2@auryn.genua.de>

map le1 129.0.0.0/8 -> 192.168.253.254/32 portmap tcp 1025:65000
map le1 129.0.0.0/8 -> 192.168.253.254/32 
# redirect Compu$erve
rdr le0 129.0.1.104/32 port 4144 -> 123.123.123.123 port 4144

------- =_aaaaaaaaaa0--

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic