From owner-freebsd-questions@FreeBSD.ORG Thu May 6 21:38:15 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61E1716A4CE for ; Thu, 6 May 2004 21:38:15 -0700 (PDT) Received: from watcher.puryear-it.com (ip-66-186-248-99.eatel.net [66.186.248.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECEDA43D39 for ; Thu, 6 May 2004 21:38:13 -0700 (PDT) (envelope-from dap99@i-55.com) Received: from localhost (unknown [127.0.0.1]) by watcher.puryear-it.com (Postfix) with ESMTP id 91DC134D1F for ; Thu, 6 May 2004 23:36:40 -0500 (CDT) Received: from watcher.puryear-it.com ([127.0.0.1]) by localhost (watcher.puryear-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28539-06 for ; Thu, 6 May 2004 23:36:39 -0500 (CDT) Received: from yourqqh4336axf (localhost [127.0.0.1]) by watcher.puryear-it.com (Postfix) with SMTP id 6D61F34D1E for ; Thu, 6 May 2004 23:36:38 -0500 (CDT) Message-ID: <087601c433ed$08ba7680$6501a8c0@yourqqh4336axf> From: "adp" To: Date: Thu, 6 May 2004 23:37:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300 X-Virus-Scanned: by amavisd-new Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2004 04:38:15 -0000 This shouldn't be that hard, but I can't get it working. I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I have bridging enabled between the Internet and DMZ interfaces. I now have an internal computer (LAN) that needs to be accessible via pcAnywhere. I can telnet to the pcAnywhere ports on the internal computer fine from the firewall or the LAN. So that works. However, when I configured ipnat to forward my pcAnywhere ports a telnet from the Internet just stalls. My ipnat configuration: # cat /etc/ipnat.conf (xl0 = internet, xl1 = lan, xl2 = dmz) #################### # pcAnywhere # normal nat for office disabled - this is all i have in ipnat.conf rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631 rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632 And I am allowing in accessing via ipf: pass in quick proto tcp from any to public-ip port = 5631 group 200 pass in quick proto udp from any to public-ip port = 5631 group 200 pass in quick proto tcp from any to public-ip port = 5632 group 200 pass in quick proto udp from any to public-ip port = 5632 group 200 (If I take these out I see the ipmon block messages, but with these they go away, so it's not ipf I don't think.) Am I missing something here? This should work! A tcpdump. I am remote (remote-client): %telnet public-ip 5631 Trying public-ip... (just sits there) On the FreeBSD box: # tcpdump -n -i xl0 port 5631 tcpdump: listening on xl0 23:26:41.772801 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:26:44.772018 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:26:48.013346 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:26:51.230241 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:26:54.429267 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:26:57.596288 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:27:03.809921 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] 23:27:16.050057 remote-client.3755 > public-ip.5631: S 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] ^C 48 packets received by filter 0 packets dropped by kernel Oh, and again, I do have bridging enabled between Internet and DMZ: My bridge script: #!/bin/sh echo -n "Enabling bridging: " if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then echo "activated." else echo "failed." fi echo -n "Enabling bridging between xl0 and xl2 interfaces: " if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1; then echo "activated." else echo "failed." fi