'Re: bimap and outbound traffic from DMZ (long)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: bimap and outbound traffic from DMZ (long)
From:       Barrie Bremner <list-ipf () barriebremner ! com>
Date:       2005-12-31 17:35:31
Message-ID: 17334.49507.970764.24747 () flux ! barriebremner ! com
[Download RAW message or body]

> > > > > "Darren" == Darren Reed <darrenr@reed.wattle.id.au> writes:

    Darren> if you run tcpdump on pppoe0 as well as your internal
    Darren> interface, do you see the packets in both places, as they
    Darren> should ?

It appears that way:

DMZ interface (hme2 on 192.168.2.0/24):

17:20:00.335926 IP theta.65070 > arc-dmz.domain:  32691+ AAAA? www.bbc.co.uk. (31)
17:20:00.447025 IP arc-dmz.domain > theta.65070:  32691 1/0/0 CNAME[|domain]
17:20:00.447511 IP theta.65069 > arc-dmz.domain:  32692+ A? www.bbc.co.uk. (31)
17:20:00.454239 IP arc-dmz.domain > theta.65069:  32692 2/13/0 CNAME[|domain]
17:20:00.455018 IP theta.65318 > www23.thdo.bbc.co.uk.www: S 3336718153:3336718153(0) \
win 32768 <mss 1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0> \
17:20:00.476646 IP www23.thdo.bbc.co.uk.www > theta.65318: S 936242578:936242578(0) \
ack 3336718154 win 33304 <nop,nop,timestamp 1830748703 0,mss 1460,nop,wscale \
1,nop,nop,sackOK> 17:20:00.476806 IP theta.65318 > www23.thdo.bbc.co.uk.www: . ack 1 \
win 33580 <nop,nop,timestamp 0 1830748703> 17:20:00.477869 IP theta.65318 > \
www23.thdo.bbc.co.uk.www: P 1:186(185) ack 1 win 33580 <nop,nop,timestamp 0 \
1830748703> 17:20:00.504482 IP www23.thdo.bbc.co.uk.www > theta.65318: . ack 186 win \
33211 <nop,nop,timestamp 1830748706 0> 17:20:37.621095 IP theta.65318 > \
www23.thdo.bbc.co.uk.www: F 186:186(0) ack 1 win 33580 <nop,nop,timestamp 75 \
1830748703> 17:20:37.640322 IP www23.thdo.bbc.co.uk.www > theta.65318: . ack 187 win \
33211 <nop,nop,timestamp 1830752419 75>

External interface (pppoe0 on 1.2.3.204/30 - 1.2.3.205/32 and 1.2.3.206/32 usable):

17:20:00.455574 PPPoE  [ses 0x8b04] IP theta-ext.65318 > www23.thdo.bbc.co.uk.www: S \
3336718153:3336718153(0) win 32768 <mss 1460,nop,wscale \
0,sackOK,nop,nop,nop,nop,timestamp 0 0> 17:20:00.476450 PPPoE  [ses 0x8b04] IP \
www23.thdo.bbc.co.uk.www > theta-ext.65318: S 936242578:936242578(0) ack 3336718154 \
win 33304 <nop,nop,timestamp 1830748703 0,mss 1460,nop,wscale 1,nop,nop,sackOK> \
17:20:00.477009 PPPoE  [ses 0x8b04] IP theta-ext.65318 > www23.thdo.bbc.co.uk.www: . \
ack 1 win 33580 <nop,nop,timestamp 0 1830748703> 17:20:00.478179 PPPoE  [ses 0x8b04] \
IP theta-ext.65318 > www23.thdo.bbc.co.uk.www: P 1:186(185) ack 1 win 33580 \
<nop,nop,timestamp 0 1830748703> 17:20:00.504294 PPPoE  [ses 0x8b04] IP \
www23.thdo.bbc.co.uk.www > theta-ext.65318: . ack 186 win 33211 <nop,nop,timestamp \
1830748706 0> 17:20:22.851791 PPPoE  [ses 0x8b04] LCP, Echo-Request (0x09), id 188, \
Magic-Num 0x73af709e, length 8 17:20:22.851839 PPPoE  [ses 0x8b04] LCP, Echo-Reply \
(0x0a), id 188, Magic-Num 0x102f63d5, length 8 17:20:37.621363 PPPoE  [ses 0x8b04] IP \
theta-ext.65318 > www23.thdo.bbc.co.uk.www: F 186:186(0) ack 1 win 33580 \
<nop,nop,timestamp 75 1830748703> 17:20:37.640133 PPPoE  [ses 0x8b04] IP \
www23.thdo.bbc.co.uk.www > theta-ext.65318: . ack 187 win 33211 <nop,nop,timestamp \
1830752419 75>

    Darren> also, are you sure the NAT is working at all ?  I see an
    Darren> "mss 1460" in there, despite you having 1440 in an
    Darren> ipnat.conf file.

I added the following to my ipnat.conf file, without any obvious
effect:

  # MSS clamp the DMZ traffic
  map pppoe0 192.168.2.0/24 -> 1.2.3.206/32 mssclamp 1440

I must admit that'd missed the differing MSS values. Note that I've
also got net.inet.tcp.mss_ifmtu=1 set in /etc/sysctl.conf. I also
fully admit that playing with MSS values is something I don't
completely understand.

The NAT must be working for certain values of "working", as I can
connect to the services (web and mail servers) running on box in the
DMZ from a remote machine using the static IP address I'm bimap-ing in
ifnat.conf, for example:

DMZ interface (hme2):

17:28:46.233622 IP sphinx.mythic-beasts.com.43913 > theta.www: S \
3941160825:3941160825(0) win 5840 <mss 1460,sackOK,timestamp 2429307406 0,nop,wscale \
2> 17:28:46.233862 IP theta.www > sphinx.mythic-beasts.com.43913: S \
3816473555:3816473555(0) ack 3941160826 win 32768 <mss 1460,nop,wscale \
0,nop,nop,timestamp 0 2429307406,sackOK,nop,nop> 17:28:46.256009 IP \
sphinx.mythic-beasts.com.43913 > theta.www: . ack 1 win 1460 <nop,nop,timestamp \
2429307429 0> 17:28:46.258310 IP sphinx.mythic-beasts.com.43913 > theta.www: P \
1:403(402) ack 1 win 1460 <nop,nop,timestamp 2429307429 0> 17:28:46.259444 IP \
theta.www > sphinx.mythic-beasts.com.43913: P 1:322(321) ack 403 win 33580 \
<nop,nop,timestamp 0 0> 17:28:46.259551 IP theta.www > \
sphinx.mythic-beasts.com.43913: P 322:812(490) ack 403 win 33580 <nop,nop,timestamp 0 \
0> 17:28:46.293710 IP sphinx.mythic-beasts.com.43913 > theta.www: . ack 322 win 1728 \
<nop,nop,timestamp 2429307466 0> 17:28:46.311937 IP sphinx.mythic-beasts.com.43913 > \
theta.www: . ack 812 win 1996 <nop,nop,timestamp 2429307485 0> 17:29:01.265699 IP \
theta.www > sphinx.mythic-beasts.com.43913: F 812:812(0) ack 403 win 33580 \
<nop,nop,timestamp 30 0> 17:29:01.327050 IP sphinx.mythic-beasts.com.43913 > \
theta.www: . ack 813 win 1996 <nop,nop,timestamp 2429322499 30> 17:29:06.314216 IP \
sphinx.mythic-beasts.com.43913 > theta.www: F 403:403(0) ack 813 win 1996 \
<nop,nop,timestamp 2429327486 30> 17:29:06.314374 IP theta.www > \
sphinx.mythic-beasts.com.43913: . ack 404 win 33580 <nop,nop,timestamp 40 0>

External interface (pppoe0):

17:28:46.233162 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > \
theta-ext.www: S 3941160825:3941160825(0) win 5840 <mss 1460,sackOK,timestamp \
2429307406 0,nop,wscale 2> 17:28:46.234082 PPPoE  [ses 0x8b04] IP theta-ext.www > \
sphinx.mythic-beasts.com.43913: S 3816473555:3816473555(0) ack 3941160826 win 32768 \
<mss 1460,nop,wscale 0,nop,nop,timestamp 0 2429307406,sackOK,nop,nop> 17:28:46.255811 \
PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > theta-ext.www: . ack 1 win \
1460 <nop,nop,timestamp 2429307429 0> 17:28:46.258088 PPPoE  [ses 0x8b04] IP \
sphinx.mythic-beasts.com.43913 > theta-ext.www: P 1:403(402) ack 1 win 1460 \
<nop,nop,timestamp 2429307429 0> 17:28:46.259732 PPPoE  [ses 0x8b04] IP theta-ext.www \
> sphinx.mythic-beasts.com.43913: P 1:322(321) ack 403 win 33580 <nop,nop,timestamp 0 \
> 0>17:28:46.260042 PPPoE  [ses 0x8b04] IP theta-ext.www > \
> sphinx.mythic-beasts.com.43913: P 322:812(490) ack 403 win 33580 <nop,nop,timestamp \
> 0 0>
17:28:46.293504 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > \
theta-ext.www: . ack 322 win 1728 <nop,nop,timestamp 2429307466 0> 17:28:46.311740 \
PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > theta-ext.www: . ack 812 win \
1996 <nop,nop,timestamp 2429307485 0> 17:29:01.265967 PPPoE  [ses 0x8b04] IP \
theta-ext.www > sphinx.mythic-beasts.com.43913: F 812:812(0) ack 403 win 33580 \
<nop,nop,timestamp 30 0> 17:29:01.326845 PPPoE  [ses 0x8b04] IP \
sphinx.mythic-beasts.com.43913 > theta-ext.www: . ack 813 win 1996 <nop,nop,timestamp \
2429322499 30> 17:29:06.313994 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 \
> theta-ext.www: F 403:403(0) ack 813 win 1996 <nop,nop,timestamp 2429327486 30> \
> 17:29:06.314581 PPPoE  [ses 0x8b04] IP theta-ext.www > \
> sphinx.mythic-beasts.com.43913: . ack 404 win 33580 <nop,nop,timestamp 40 0>

Cheers,

-- 
Barrie J. Bremner
list-ipf [at] barriebremner.com     http://barriebremner.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic