[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: More ipnat & dns confusion
From: "James Moore" <jim () bokler ! com>
Date: 2000-04-30 4:09:17
[Download RAW message or body]
I'm still having a comprehension problem... I'd appreciate any enlightenment:
hosts on my private LAN don't get DNS when the following rule is included
(based on "ipfstat -hi"):
"block in log quick on xl1 from any to 192.168.0.0/16"
What I see at the console of the BSD box while DNS is being choked off is
something like the following:
"ipmon[2612] (blah, blah) xl1@0:13 b 209.119.96.3 -> 192.168.1.5, 1207 PR udp
len 20"
My ipnat rule is as follows:
"map xl1 192.168.1.0/24 -> 208.xxx.xxx.x/32 portmap tcp/udp 10000:65000"
I'm confused on two points:
1) why is the port number 1207 rather than one in the range set by my
ipnat.rules (10,000 - 65,000)?
2) the rule that's blocking this packet refers to inbound packets on xl1 (ext
interface); i.e. from the Internet. Why would I be getting a packet with a
192.168.1.5 address from my ISP's DNS?
A response I received previously suggested that I was seeing the packet after
it had been translated back into the private address space... But that being
the case I still don't see why the 1207 port is being used, nor do I see why
the rule above would have blocked it.
I'm sure I'm overlooking something fundamental. I thought the DNS response
would have come back into xl1 with a destination address of the external nic,
not the private IP... where have I missed the boat?
Thanks,
James Moore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic