Date: Mon, 10 May 2004 10:34:46 -0500 From: "adp" <dap99@i-55.com> To: <Barbish3@adelphia.net>, <questions@freebsd.org> Subject: Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere Message-ID: <016a01c436a4$88e741d0$6501a8c0@yourqqh4336axf> References: <MIEPLLIBMLEEABPDBIEGOEJEFNAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I am using telnet just to see if the port accepts connections. That test works fine internally. We are not running a telnet server. Also, we are telnetting to the pcAnywhere port, not the telnet port. :) ----- Original Message ----- From: "JJB" <Barbish3@adelphia.net> To: "adp" <dap99@i-55.com>; <questions@freebsd.org> Sent: Friday, May 07, 2004 7:47 AM Subject: RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere > For your telnet test to pcanywhere ports on target Lan pc to work > you have to tell telnet on the target to listen on those ports. > > I believe pcanywhere is one of those applications that imbed the ip > address of the remote and host into the packet data and used by the > application to establish bi-directional packet exchange. This means > that pcanywhere will not work using nated ip address. This is an > common design flaw in many 3rd party software providers > applications, mostly seen in games and ms/windows netmeeting. > Pcanywhere only works over the public internet between two ms/window > boxs that use public routable IP address. It will also work between > two pc on the Lan because Nating only occurs as packet leaves Lan > headed for public internet. > > If you have an range of static public IP address assigned to you by > your ISP then you could assign one of those ip address to the LAN pc > you want pcanywhere to work on and you should be good to go. > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of adp > Sent: Friday, May 07, 2004 12:37 AM > To: questions@freebsd.org > Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for > pcAnywhere > > This shouldn't be that hard, but I can't get it working. > > I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I > have > bridging enabled between the Internet and DMZ interfaces. > > I now have an internal computer (LAN) that needs to be accessible > via > pcAnywhere. > > I can telnet to the pcAnywhere ports on the internal computer fine > from the > firewall or the LAN. So that works. However, when I configured ipnat > to > forward my pcAnywhere ports a telnet from the Internet just stalls. > > My ipnat configuration: > > # cat /etc/ipnat.conf > > (xl0 = internet, xl1 = lan, xl2 = dmz) > > #################### > # pcAnywhere > # normal nat for office disabled - this is all i have in ipnat.conf > rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631 > rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632 > > And I am allowing in accessing via ipf: > > pass in quick proto tcp from any to public-ip port = 5631 group 200 > pass in quick proto udp from any to public-ip port = 5631 group 200 > pass in quick proto tcp from any to public-ip port = 5632 group 200 > pass in quick proto udp from any to public-ip port = 5632 group 200 > > (If I take these out I see the ipmon block messages, but with these > they go > away, so it's not ipf I don't think.) > > Am I missing something here? This should work! > > A tcpdump. I am remote (remote-client): > > %telnet public-ip 5631 > Trying public-ip... > > (just sits there) > > On the FreeBSD box: > > # tcpdump -n -i xl0 port 5631 > tcpdump: listening on xl0 > 23:26:41.772801 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale > 0,nop,nop,timestamp > 99416198 0> (DF) [tos 0x10] > 23:26:44.772018 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale > 0,nop,nop,timestamp > 99416498 0> (DF) [tos 0x10] > 23:26:48.013346 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale > 0,nop,nop,timestamp > 99416818 0> (DF) [tos 0x10] > 23:26:51.230241 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10] > 23:26:54.429267 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10] > 23:26:57.596288 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10] > 23:27:03.809921 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10] > 23:27:16.050057 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10] > ^C > 48 packets received by filter > 0 packets dropped by kernel > > Oh, and again, I do have bridging enabled between Internet and DMZ: > > My bridge script: > > #!/bin/sh > > echo -n "Enabling bridging: " > if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then > echo "activated." > else > echo "failed." > fi > > echo -n "Enabling bridging between xl0 and xl2 interfaces: " > if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1; > then > echo "activated." > else > echo "failed." > fi > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?016a01c436a4$88e741d0$6501a8c0>