[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: FreeBSD 2.2.2 / 3.2alpha9: strange(?) behaviour
From: Stefan Witzel <switzel () uni-goettingen ! de>
Date: 1997-07-03 12:47:12
[Download RAW message or body]
Hello,
I've installed 3.2alpha9 under FreeBSD 2.2.2. In a small testbed I tried to
setup a gateway which performs NAT and only allows http connctions.
There is only one NAT rule (de0 is the "external" interface):
map de0 172.16.1.0/24 -> 172.16.2.0/24
If I use the "filter" rules
pass in all
pass out all
I can connect to my www-server; using the following rules this is not
possible (de0 ist the "external" interface, de1 the "internal"):
block in log from any to any
block out log from any to any
pass in log on de1 from 172.16.1.0/24 port > 1023 to any port = 80
pass out log on de0 from 172.16.1.0/24 port > 1023 to any port = 80
pass in log on de0 from any port = 80 to 172.16.1.0/24 port > 1023
pass out log on de1 from any port = 80 to 172.16.1.0/24 port > 1023
The log shows (I think), that NAT works and the browser reaches the server,
but the server packets are blocked.
de1 @1 p 172.16.1.70,1458 -> 10.0.0.234,80 PR tcp len 20 44 -S
de0 @1 p 172.16.2.5,1458 -> 10.0.0.234,80 PR tcp len 20 44 -S
de0 @0 b 10.0.0.234,80 -> 172.16.1.70,1458 PR tcp len 20 44 -AS (!!!)
de0 @0 b 10.0.0.234,80 -> 172.16.1.70,1458 PR tcp len 20 44 -AS
de1 @1 p 172.16.1.70,1458 -> 10.0.0.234,80 PR tcp len 20 44 -S
de0 @1 p 172.16.2.5,1458 -> 10.0.0.234,80 PR tcp len 20 44 -S
de0 @0 b 10.0.0.234,80 -> 172.16.1.70,1458 PR tcp len 20 40 -A
de0 @0 b 10.0.0.234,80 -> 172.16.1.70,1458 PR tcp len 20 44 -AS
Help !!!
Stefan Witzel switzel@uni-goettingen.de
Universitaet Goettingen / Stabsstelle DV -------------------------
Gosslerstrasse 5-7 fon: +49 551 394160
37073 Goettingen fax: +49 551 399612
Germany
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic