[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: NetBSD ipnat problems
From: Steve Pribyl <steve () netfuel ! com>
Date: 2005-11-07 16:06:46
Message-ID: 436F7B96.20009 () netfuel ! com
[Download RAW message or body]
Guys,
I figured it out.
tlp0 should have been ex0 in the /etc/ipnat.conf
Sorry to have wasted your time.
Steve Pribyl
Steve AT NetFuel dot com
Computer Infrastructure Practitioner
Steve Pribyl wrote:
> For some reason the firewall I am building is no longer doing nat.
> I think the tcpdump for ex0 at the bottom should say from 168.192.136.13
> not 10.16.1.100. Can't figure out why.
>
> Any debugging help would be appreciated.
>
> # ipf -V
> ipf: IP Filter: v4.1.3 (396)
> Kernel: IP Filter: v4.1.3
> Running: yes
> Log Flags: 0 = none set
> Default: block all, Logging: available
> Active list: 0
> Feature mask: 0xa
> # uname -a
> NetBSD newton 2.1 NetBSD 2.1 (FIREWALL) #1: Sun Nov 6 20:56:13 CST 2005
> root@newton:/usr/src/sys/arch/i386/compile/FIREWALL i386
>
> ipnat.conf
> # -------------------------------------------------------------------------
> # Use ipfilter ftp proxy for ftp client transfers mode: active
> map tlp0 10.16.1.0/24 -> 0/32 proxy port ftp ftp/tcp
>
> # Map all tcp and udp connections from 192.168.1.0/24 to external IP addres
> # changing the source port number to something between 40,000 and 60,000
> in ve
> map tlp0 10.16.1.0/24 -> 0/32 portmap tcp/udp 40000:60000
>
> # For all other IP packets, map to the external IP address
> map tlp0 10.16.1.0/24 -> 0/32
>
> /etc/ipf.conf
> pass in all
> pass out all
>
> /etc/sysctl.conf
> net.inet.ip.forwarding=1
>
> # netstat -rn
> Routing tables
>
> ex0 is external nic
> tlp0 is internal nic
>
>
> # ifconfig -a
> tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> address: 00:04:5a:4a:a4:5f
> media: Ethernet none (none)
> inet 10.16.1.1 netmask 0xffffff00 broadcast 10.16.1.255
> ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
> enabled=0
> address: 00:50:da:2d:be:3a
> media: Ethernet none (none)
> inet 168.192.136.13 netmask 0xffffff00 broadcast 168.192.136.255
> lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33196
> inet 127.0.0.1 netmask 0xff000000
> ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
> ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
>
> Internet:
> Destination Gateway Flags Refs Use Mtu Interface
> default 64.81.136.1 UGS 1 671 - ex0
> 10.16.1/24 link#1 UC 2 0 - tlp0
> 10.16.1.10 link#1 UHLc 0 1 - tlp0
> 10.16.1.100 link#1 UHLc 1 2 - tlp0
> 168.192.136/24 link#2 UC 2 0 - ex0
> 168.192.136.1 00:90:1a:40:8f:c8 UHLc 1 0 - ex0
> 127/8 127.0.0.1 UGRS 0 0 33196 lo0
> 127.0.0.1 127.0.0.1 UH 1 4 33196 lo0
>
>
> On an internal node (10.16.1.100)
> ping yahoo.com
>
> On the netbsd box.
> tcpdump tlp0 host 10.16.1.100
> tcpdump: listening on tlp0
> 09:49:22.760785 10.16.1.1.40005 > 10.16.1.100.ssh: P
> 1608206970:1608207018(48) ack 3894317329 win 65535 (DF) [tos 0x10]
> 09:49:22.763303 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:22.763442 10.16.1.100.ssh > 10.16.1.1.40005: P 1:49(48) ack 48 win
> 8704 (DF) [tos 0x10]
> 09:49:22.960039 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 49 win 65535
> (DF) [tos 0x10]
> 09:49:27.767555 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:32.777534 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:37.787634 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:42.797797 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:47.807714 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:52.817867 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:57.829560 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:50:02.839068 10.16.1.100.ssh > 10.16.1.1.40005: P 49:145(96) ack 48
> win 8704 (DF) [tos 0x10]
> 09:50:02.839078 10.16.1.100.ssh > 10.16.1.1.40005: P 145:209(64) ack 48
> win 8704 (DF) [tos 0x10]
> 09:50:02.839236 10.16.1.1.40005 > 10.16.1.100.ssh: . ack 209 win 65535
> (DF) [tos 0x10]
>
> # tcpdump -i ex0 host 10.16.1.100
> tcpdump: listening on ex0
> 09:49:22.763379 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:27.767619 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:32.777595 10.16.1.100.32772 > dns.chi1.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:37.787690 10.16.1.100.32773 > ns-legacy.speakeasy.net.domain:
> 38987+ A? yahoo.com. (27) (DF)
> 09:49:42.797853 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:47.807770 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:52.817983 10.16.1.100.32773 > dns.chi1.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
> 09:49:57.829617 10.16.1.100.32774 > ns-legacy.speakeasy.net.domain:
> 38988+ A? yahoo.com. (27) (DF)
>
>
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic