'Re: NetBSD ipnat problems'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: NetBSD ipnat problems
From:       Steve Pribyl <steve () netfuel ! com>
Date:       2005-11-07 16:06:46
Message-ID: 436F7B96.20009 () netfuel ! com
[Download RAW message or body]


Guys,

I figured it out.

tlp0 should have been ex0 in the /etc/ipnat.conf

Sorry to have wasted your time.


Steve Pribyl
Steve AT NetFuel dot com
Computer Infrastructure Practitioner


Steve Pribyl wrote:
> For some reason the firewall I am building is no longer doing nat.
> I think the tcpdump for ex0 at the bottom should say from 168.192.136.13 
> not 10.16.1.100. Can't figure out why.
> 
> Any debugging help would be appreciated.
> 
> # ipf -V
> ipf: IP Filter: v4.1.3 (396)
> Kernel: IP Filter: v4.1.3
> Running: yes
> Log Flags: 0 = none set
> Default: block all, Logging: available
> Active list: 0
> Feature mask: 0xa
> # uname -a
> NetBSD newton 2.1 NetBSD 2.1 (FIREWALL) #1: Sun Nov  6 20:56:13 CST 2005 
>  root@newton:/usr/src/sys/arch/i386/compile/FIREWALL i386
> 
> ipnat.conf
> # -------------------------------------------------------------------------
> # Use ipfilter ftp proxy for ftp client transfers mode: active
> map tlp0 10.16.1.0/24 -> 0/32 proxy port ftp ftp/tcp
> 
> # Map all tcp and udp connections from 192.168.1.0/24 to external IP addres
> # changing the source port number to something between 40,000 and 60,000 
> in            ve
> map tlp0 10.16.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
> 
> # For all other IP packets, map to the external IP address
> map tlp0 10.16.1.0/24 -> 0/32
> 
> /etc/ipf.conf
> pass in all
> pass out all
> 
> /etc/sysctl.conf
> net.inet.ip.forwarding=1
> 
> # netstat -rn
> Routing tables
> 
> ex0 is external nic
> tlp0 is internal nic
> 
> 
> # ifconfig -a
> tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: 00:04:5a:4a:a4:5f
>         media: Ethernet none (none)
>         inet 10.16.1.1 netmask 0xffffff00 broadcast 10.16.1.255
> ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
>         enabled=0
>         address: 00:50:da:2d:be:3a
>         media: Ethernet none (none)
>         inet 168.192.136.13 netmask 0xffffff00 broadcast 168.192.136.255
> lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33196
>         inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> 
> Internet:
> Destination   Gateway            Flags     Refs     Use    Mtu  Interface
> default       64.81.136.1        UGS         1      671      -  ex0
> 10.16.1/24    link#1             UC          2        0      -  tlp0
> 10.16.1.10    link#1             UHLc        0        1      -  tlp0
> 10.16.1.100   link#1             UHLc        1        2      -  tlp0
> 168.192.136/24  link#2             UC          2        0      -  ex0
> 168.192.136.1   00:90:1a:40:8f:c8  UHLc        1        0      -  ex0
> 127/8         127.0.0.1          UGRS        0        0  33196  lo0
> 127.0.0.1     127.0.0.1          UH          1        4  33196  lo0
> 
> 
> On an internal node (10.16.1.100)
> ping yahoo.com
> 
> On the netbsd box.
> tcpdump tlp0 host 10.16.1.100
> tcpdump: listening on tlp0
> 09:49:22.760785 10.16.1.1.40005 > 10.16.1.100.ssh: P 
> 1608206970:1608207018(48) ack 3894317329 win 65535 (DF) [tos 0x10]
> 09:49:22.763303 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:22.763442 10.16.1.100.ssh > 10.16.1.1.40005: P 1:49(48) ack 48 win 
> 8704 (DF) [tos 0x10]
> 09:49:22.960039 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 49 win 65535 
> (DF) [tos 0x10]
> 09:49:27.767555 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:32.777534 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:37.787634 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:42.797797 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:47.807714 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:52.817867 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:57.829560 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:50:02.839068 10.16.1.100.ssh > 10.16.1.1.40005: P 49:145(96) ack 48 
> win 8704 (DF) [tos 0x10]
> 09:50:02.839078 10.16.1.100.ssh > 10.16.1.1.40005: P 145:209(64) ack 48 
> win 8704 (DF) [tos 0x10]
> 09:50:02.839236 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 209 win 65535 
> (DF) [tos 0x10]
> 
> # tcpdump -i ex0 host 10.16.1.100
> tcpdump: listening on ex0
> 09:49:22.763379 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:27.767619 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:32.777595 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:37.787690 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain: 
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:42.797853 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:47.807770 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:52.817983 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:57.829617 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain: 
> 38988+ A? yahoo.com. (27) (DF)
> 
> 

["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic