Date: Thu, 06 Apr 2000 17:24:23 -0400 (EDT) From: Mike Heffner <mheffner@mailandnews.com> To: cjclark@home.com Cc: freebsd-ipfw@FreeBSD.ORG, Mike Heffner <spock@techfour.net> Subject: Re: Problems with natd Message-ID: <XFMail.20000406172423.mheffner@mailandnews.com> In-Reply-To: <20000406165628.C4198@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 06-Apr-2000 Crist J. Clark wrote: | |> ipfw rules: |> |> 00010 176 14949 count log ip from any to any |> 00015 24 2634 allow ip from any to any via lo0 |> 00100 0 0 allow ip from any to any via ep0 |> 00200 6 248 divert 8668 ip from any to any via ed0 |> 00300 57 6332 allow ip from any to any |> 65535 1 28 deny ip from any to any | | Wide open for testing, good. One thing I'm curious about, and I really | don't know if this has anything to do with the problem, is why the | 'count' rule does not sum up to all of the rules below it. Hrm, not quite sure. I had just added the count so that I could see what packets were being passed through ipfw (it was the only rule i could think of to just log the packet but pass it to the next rule...). I never usually use count at all, so I've never noticed that problem... | |> $ ifconfig -a |> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 |> inet a.b.c.d netmask 0xffffff00 broadcast 255.255.255.255 | ^^^^^^^^^^^^^^^ | Is that the real value or did you mask that? | Well, I use dhcp (dhclient) to get the address for the cable modem line, looks like the dhcp server is returning that as the broadcast, or that dhclient is screwing up somehow. It's especially strange since the netmask doesn't go with that broadcast address. I've tried manually changing the broadcast back to the proper a.b.c.255, but it doesn't seem to change anything. | |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> Out [TCP] [TCP] a.b.c.d:1026 -> e.f.g.h:21 aliased to |> [TCP] a.b.c.d:1026 -> e.f.g.h:21 |> |> |> [ a.b.c.d == my ip address |> e.f.g.h == an internet server ip ] | | Hmmm... NOT what one expects. It does not look like anything is ever | coming back. My first inclination would be to guess that there is a | firewall rule blocking setups on port 21 in front of natd's divert | rule, but if your output above is accurate, this is not the case. | | If you were not getting ICMP packets back, I would guess that | something at or behind your coax modem was not routing properly. Does | a tcpdump show the same thing as the natd log for the TCP connection | attempt? Of course, there is always the question, maybe e.f.g.h is | dropping attempts at 21? Yes, that's why I'm nearly 100% sure this is natd related. Tcpdump shows the same output, packets are going out but never returning. And no, e.f.g.h isn't dropping ftp traffic, because when I remove the natd divert rule, I can ftp, telnet, etc into e.f.g.h perfectly. This is also not restricted to just e.f.g.h and ftp, it occurs with all hosts and all traffic except ICMP (ftp, telnet, dns, ...). My only guess is that somehow natd, or something related, is shitting on the packet causing it to be dropped by a router as an invalid packet. Although, looking at tcpdump output everything seems to be fine on the surface, haven't done a full packet dump yet though. I am going to see if I can get root (with permission =) on someone's box and run tcpdump to see if the packets are even getting to their machine AT ALL. -Later /**************************************** * Mike Heffner <spock@techfour.net> * * Fredericksburg, VA ICQ# 882073 * * Sent at: 06-Apr-2000 -- 17:02:50 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20000406172423.mheffner>