From owner-freebsd-questions Sat Nov 10 21:42:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from falcon.prod.itd.earthlink.net (falcon.mail.pas.earthlink.net [207.217.120.74]) by hub.freebsd.org (Postfix) with ESMTP id 8C1EE37B41D for ; Sat, 10 Nov 2001 21:42:17 -0800 (PST) Received: from dialup-209.247.136.102.dial1.sanjose1.level3.net ([209.247.136.102] helo=blossom.cjclark.org) by falcon.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 162nNk-0004sH-00 for freebsd-questions@FreeBSD.ORG; Sat, 10 Nov 2001 21:42:13 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fAB5fmM69586 for freebsd-questions@FreeBSD.ORG; Sat, 10 Nov 2001 21:41:48 -0800 (PST) (envelope-from cjc) Date: Sat, 10 Nov 2001 21:41:47 -0800 From: "Crist J. Clark" To: freebsd-questions@FreeBSD.ORG Subject: Re: problems with clients behind ipf/ipnat firewall Message-ID: <20011110214147.C69195@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011107132853.B7624@nubisci.net> <20011107231359.J301@blossom.cjclark.org> <20011109133729.A21217@nubisci.net> <20011110005436.G51003@blossom.cjclark.org> <20011110105933.A74294@nubisci.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011110105933.A74294@nubisci.net>; from guru@nubisci.net on Sat, Nov 10, 2001 at 10:59:33AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK, there is some weirdness going on here. Let's look at the traceroute UDP packets hitting the inner interface, $ fgrep udp tcpdump.fxp1 08:33:20.856394 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33435: udp 12 [ttl 1] 08:33:20.857533 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33436: udp 12 [ttl 1] 08:33:20.858461 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33437: udp 12 [ttl 1] 08:33:20.859840 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33438: udp 12 08:33:20.863953 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33439: udp 12 08:33:25.870160 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33440: udp 12 08:33:25.877853 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33441: udp 12 08:33:30.889018 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33442: udp 12 08:33:30.896902 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33443: udp 12 08:33:35.910771 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33444: udp 12 08:33:35.914579 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33445: udp 12 08:33:40.919260 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33446: udp 12 08:33:40.923175 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33447: udp 12 08:33:45.929393 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33448: udp 12 08:33:45.932661 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33449: udp 12 Every five seconds, two packets come in, notice the incrementing destination ports. Now look at what comes out the other side, $ fgrep udp tcpdump.fxp0 08:33:20.859958 ganja.nubisci.net.1087 > ftp.beastie.tdk.net.33438: udp 12 [ttl 1] 08:33:20.863965 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33439: udp 12 [ttl 1] 08:33:25.870367 ganja.nubisci.net.1088 > ftp.beastie.tdk.net.33440: udp 12 [ttl 1] 08:33:25.877870 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33441: udp 12 08:33:30.889202 ganja.nubisci.net.1089 > ftp.beastie.tdk.net.33442: udp 12 08:33:30.896920 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33443: udp 12 08:33:35.910981 ganja.nubisci.net.1090 > ftp.beastie.tdk.net.33444: udp 12 08:33:35.914597 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33445: udp 12 08:33:40.919459 ganja.nubisci.net.1091 > ftp.beastie.tdk.net.33446: udp 12 08:33:40.923196 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33447: udp 12 08:33:45.929593 ganja.nubisci.net.1092 > ftp.beastie.tdk.net.33448: udp 12 08:33:45.932678 kaleidoscope.nubisci.net.39934 > ftp.beastie.tdk.net.33449: udp 12 The first three packets that we saw on the inside are not seen, since they expired on your firewall. As for what we see after that... wierd. Every other packet is being NATed and the other being passed unchanged. Note the incrementing destination port. The ones being NATed are coming from 'kaleidoscope' as the other ones obviously are. If we look for the returning ICMP, we see that all of the properly NATed packets get the ICMP 11:0 packets we expect, and the reason for the loss is that the ICMP responses for the unNATed packets will never find their way back to your gateway. This "every-other-NAT" thing is definately causing your troubles... Now why or even _how_ this could be happening... I've never seen this with ipf/ipnat. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message