[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    RE: getting ipfilter and squid to work together
From:       Pierre Girard <pierreg () crt ! umontreal ! ca>
Date:       2001-02-27 17:36:45
[Download RAW message or body]

On Tue, 27 Feb 2001, Josh Hoblitt wrote:
> Is w.x.y.a/32 the ipnat machine itself or a machine behind the firewall?  Is
> Hme0 the inside or outside interface?

w.x.y.a/32 is the machine behind firewall, let's call it «client» w.x.y.b
would be the «firewall».  On both machines there is only one
interface and it is hme0.  So with this configuration, the «firewall» is
not a router.

Here's another detail that might be relevant to the situation.  The
machines are connected in a switch, the same one in this case but
eventually the machine will be moved and it will be another different
switches.  That switch eventually gets connected to a router that blocks
traffic for the entire domain except for the «firewall».  Since on my
«client» machine i specify the «firewall» as defaultrouter i'd like
traffic to go through it with NAT because i expect the hardware router to
block the packets.

> -----Original Message-----
> From: Pierre Girard
> To: Josh Hoblitt
> Sent: 2/27/01 8:10 AM
> Subject: RE: getting ipfilter and squid to work together
>
> On Mon, 26 Feb 2001, Josh Hoblitt wrote:
> > I've haven't had problems with the ftp proxy.  Do you have ipf rules
> that
> > could interfer?  Are packets showing up in your logs?  Ipnat does
> support
> > logging, try ipmon -a from the command line.
>
> Actually for those tests i disabled the ipf rules (ipf -Fa) so i don't
> think that's the problem.
>
> I tried changing my ipnat rules to specify only one ip address and it is
> still as slow as before, on the other hand with that configuration i can
> connect to the machine with ssh which helps a bit.
>
> When i look with ipmon, i see a few packets going through but not many
> and
> not often.  I do have a socks server on that same machine and if i go
> through it i can see some packets come through and my connection is
> fast.
> I enabled ipf for that test, since i wasn't sure if it would log or not
> and also to see it that would slow it down.  Doesn't seem to be the
> case.
>
> Here's ipnat.conf file (with ip removed):
> map hme0 w.x.y.a/32 -> w.x.y.b/32 proxy port ftp ftp/tcp
> map hme0 w.x.y.a/32 -> w.x.y.b/32 portmap tcp/udp 10000:60000
> map hme0 w.x.y.a/32 -> w.x.y.b/32
>
> Same as before with those 2 lines reversed.  What i want ultimately is
> to
> let ftp, telnet, imap and pop3 through, the rest i'll see as it goes.
> For
> now i try to keep things as simple as possible since it's easier to
> debug.
>
> I also tried with another subnet but the machines on it are windows and
> i
> didn't get as far.  I couldn't ping to the external machine, i had a
> network unreachable message.  In that case i think it's a problem in my
> windows setup, i'll try to look into it more.
>
> Thanks for your help.
> Bye.

[prev in list] [next in list] [prev in thread] [next in thread]