From owner-freebsd-questions Thu Oct 5 10:54:54 2000 Delivered-To: freebsd-questions@freebsd.org Received: from ivin.nl (ivin.nl [161.58.235.201]) by hub.freebsd.org (Postfix) with ESMTP id 8D59F37B502 for ; Thu, 5 Oct 2000 10:54:51 -0700 (PDT) Received: from roberts4.roberts.nl ([213.73.149.39]) by ivin.nl (8.8.8) id TAA87643; Thu, 5 Oct 2000 19:54:47 +0200 (CEST) Message-Id: <5.0.0.25.2.20001005195250.00a24300@pop.roberts.nl> X-Sender: lar@pop.roberts.nl X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Thu, 05 Oct 2000 19:54:20 +0200 To: freebsd-questions@freebsd.org From: Luke Roberts Subject: Re: NATD reditect problems for traffic coming from TCP port 41 Cc: Ruslan Ermilov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG From Ruslan Ermilov's keyboard: >The >redirect_port tcp 192.168.0.8:1024-10026 1024-10026 194.151.107.44:40-9042 >is just a short form of specifying 9003 rules like this: > >redirect_port tcp 192.168.0.8:1024 1024 194.151.107.44:40 >redirect_port tcp 192.168.0.8:1025 1025 194.151.107.44:41 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >redirect_port tcp 192.168.0.8:1026 1026 194.151.107.44:42 >... >redirect_port tcp 192.168.0.8:10025 10025 194.151.107.44:9041 >redirect_port tcp 192.168.0.8:10026 10026 194.151.107.44:9042 True! (I suppose it is overkill) >I.e., inside libalias(3), they will be stored as 9003 individual rules. >This does mean that natd will do the following redirections, assuming >that 213.73.148.57 is the main aliasing IP: True too! >IN [TCP] [TCP] 194.151.107.44:41 -> 213.73.148.57:1025 > [TCP] 194.151.107.44:41 -> 192.168.0.8:1025 > >and vice versa: > >OUT [TCP] [TCP] 192.168.0.8:1025 -> 194.151.107.44:41 > [TCP] 213.73.148.57:1025 -> 194.151.107.44:41 All completely the way I see it as well. >As for the first redirection, it was probably caused by outgoing >connection from 192.168.0.8:1995 to 194.151.107.44:42. I.e., >the outgoing connection attempt caused > >OUT [TCP] [TCP] 192.168.0.8:1995 -> 194.151.107.44:42 > [TCP] 213.73.148.57:1995 -> 194.151.107.44:42 > >And then the reply packet caused: > >IN [TCP] [TCP] 194.151.107.44:42 -> 213.73.148.57:1995 > [TCP] 194.151.107.44:42 -> 192.168.0.8:1995 Maybe indeed 194.151.107.44:41 is the first outside port to initiate a connection with my inside machine, but this still doesn't explain why the config did work with FreeBSD 3.2 (I am using the same firewall/natd config). Also, With simular rules but diffrent port's and IP numbers I can FTP to an 'indside IP number', People can download Napster stuff from 'inside machines' and ICQ to 'inside machines'. All this traffic is initiated from the outside. The problem realy seems to be with port 41. Also the following ruleset redirects all traffic inwards except for traffic originating from port 41: redirect_proto tcp 192.168.0.8 194.151.107.44 redirect_proto tcp 192.168.0.8 194.151.107.76 redirect_proto tcp 192.168.0.8 193.72.44.45 redirect_proto tcp 192.168.0.8 193.72.44.78 Hope somebody goes "oh of course, its......." Cheers, Luke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message