[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    More ipnat & dns confusion
From:       "James Moore" <jim () bokler ! com>
Date:       2000-04-30 4:09:17
[Download RAW message or body]

I'm still having a comprehension problem... I'd appreciate any enlightenment:

hosts on my private LAN don't get DNS when the following rule is included 
(based on "ipfstat -hi"): 

 "block in log quick on xl1 from any to 192.168.0.0/16" 

What I see at the console of the BSD box while DNS is being choked off is 
something like the following: 
  
"ipmon[2612] (blah, blah) xl1@0:13 b 209.119.96.3 -> 192.168.1.5, 1207 PR udp 
len 20" 

My ipnat rule is as follows: 

"map xl1 192.168.1.0/24 -> 208.xxx.xxx.x/32 portmap tcp/udp 10000:65000" 

I'm confused on two points: 

1) why is the port number 1207 rather than one in the range set by my  
ipnat.rules (10,000 - 65,000)? 

2) the rule that's blocking this packet refers to inbound packets on xl1 (ext 
interface); i.e. from the Internet. Why would I be getting a packet with a 
192.168.1.5 address from my ISP's DNS?

A response I received previously suggested that I was seeing the packet after 
it had been translated back into the private address space... But that being 
the case I still don't see why the 1207 port is being used, nor do I see why 
the rule above would have blocked it. 

I'm sure I'm overlooking something fundamental. I thought the DNS response  
would have come back into xl1 with a destination address of the external nic,  
not the private IP... where have I missed the boat?  


Thanks, 
James Moore 

[prev in list] [next in list] [prev in thread] [next in thread]