Date: Sun, 30 Sep 2001 13:46:49 -0400 (EDT) From: Rich Fox <rich@f2sys.net> To: Barry Irwin <bvi@itouchlabs.com> Cc: freebsd-net@freebsd.org Subject: Re: Natd Frustration! Message-ID: <Pine.BSF.4.21.0109301334110.48292-100000@iwishihadaname.crosslink.net> In-Reply-To: <20010930185704.Q73094@itouchlabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Thank you for your advice. I checked the data of tcpdump and realized that the packets were coming in on the external interface aliasing, going out on the internal interface, and the responses looked ok too, in other words everything looked correct, so why wasn't I getting a response? For whatever reason (I should have done this before! double D'oh!), I ran a traceroute from the webserver (a powerbook, the .17 machine) to the 216.x.x.x machine and it reached it directly. The Webserver is a Powerbook running OS 9.2. I had changed the router address to reflect the target gateway 192.168.1.12 (as opposed to what it was set for at the outset of all of the business: 192.168.1.1=216.x.x.x machine). It turns out that although MacOS TCP/IP settings *appear* to change when you change them and close the control panel, they don't always do that. After the traceroute showed a direct route to the 216.x.x.x machine (it should have exited the local network via the 65.x.x.x machine and then hopped across the 'net to the 216. machine), I realized that the default gateway/router settings did not take. I restarted the machine and Voila! I love Macs but they make me crazy sometimes! Again, Thank you for your advice, I just needed someone to make me think in a different way (how ironic: Apple says: Think Different (yeah, a different gateway!)). Rich. | rich fox / F2 | rich@f2sys.net | www.f2sys.net | 5927 Ridge View Drive | Alexandria, VA 22310-2074 | t:703.528.9616 | f:703.528.0599 On Sun, 30 Sep 2001, Barry Irwin wrote: > On Sun 2001-09-30 (12:49), Rich Fox wrote: > > Here is my setup: > > > > ------------\ /------------------------ > > 192.168.1.17 +--> 65.x.x.x/192.168.1.12 -> | @home network > > | DHCP | > > hub | |Internet > > | Static IP | > > 192.168.1.15 +--> 216.x.x.x/192.168.1.1 -> | Crosslink/covad/verizon > > ------------/ \------------------------ > > > > Yes, I have two internet connections. They can see each other without > > problems. > > > > The .17 machine's gateway is 192.168.1.12/65.x.x.x > > The .15 machine's gateway is 192.168.1.1/216.x.x.x > > natd.conf: > > interface ed0 > > same_ports yes > > dynamic yes > > use_sockets yes > > verbose > > redirect_port tcp 192.168.1.17:80 80 > > redirect_port udp 192.168.1.17:80 80 > > (I don't need udp for this but for the sake of thoroughness...) > Why open up a potential hole where you dont need to ? > > > ipfw add divert 8668 ip from any to any via ed0 > > > > ipfw add allow all from any to 192.168.1.17 > > ipfw add allow all from 192.168.1.17 to any > > # deny everything else... > > ipfw add 65435 deny log ip from any to any > > what is showing up in /var/log/security ? > If packets are getting denied they should be logged here. > Aslo try ipfw zero; try a connect, then ipfw show , this will show you which > rules are actually matching packets. > > > > > In [TCP] [TCP] 216.x.x.x:2961 -> 65.x.x.x:80 aliased to > > [TCP] 216.x.x.x:2961 -> 192.168.1.17:80 > > what do you get when doing a tcpdump -n -i ed0 -v -v tcp and port 80 > and a tcpdump od the same on de0 ? do the packets actually go out over de0, > does stuff come back ? in which case it is most likely your ruleset. > > > (Interestingly I see lots of IP addresses trying to connect to my web > > server. I really want to get this aliasing thing fixed so that I can put > > up a page that tells these nosy punks to go blow.) > none of them will read it, 99% of it is automated scripts. Rather just > blackhole the packets. No need to open yourself up. > > > > Any thoughts? > > > > Thanks, > > Rich. > > > > > > > > > > | rich fox / F2 > > | rich@f2sys.net > > | www.f2sys.net > > | 5927 Ridge View Drive > > | Alexandria, VA 22310-2074 > > | t:703.528.9616 > > | f:703.528.0599 > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-net" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109301334110.48292-100000>