[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipnat rdr setup?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: ipnat rdr setup?
From: "Jim Litton" <litton_(_at_)_qwest_(_dot_)_net>
Date: Sun, 12 Aug 2001 21:18:46 -0600

I suppose its working ... I ran the test from a third box off 192.168.1 and it worked.

-------- Original Message --------
Subject: ipnat rdr setup?
Date: Sun, 12 Aug 2001 19:23:57 -0600
From: Jim Litton <litton_(_at_)_qwest_(_dot_)_net>
To: misc_(_at_)_openbsd_(_dot_)_org

Good day,

.. any ideas on what I might be doing wrong in this ipnat rdr setup?

The configuration is a three nic openbsd 2.9 box rdr to a freebsd 4.3 running tomcat.  I've tried several scemarios, this last has hostname removed from freebsd box to see ip addresses in the tcpdump.  No security is turned on on the freebsd box.  I didn't want to mess with ipf on freebsd and so I'm not sure how to get a ipmon log there.

dsl		openbsd			freebsd
10.0.0.1-------	10.0.0.2(fxp0)
		172.16.10.1(ne1)--------172.16.10.2

I'm testing this setup by entering http://10.0.0.2 in mozilla on the freebsd box which eventually timesout.   I can hit http://172.16.10.2:8080.  I don't see block rules being applied in openbsd ipflog.

Following are openbsd ipflog, tcpdump from client/webserver freebsd, openbsd dump, openbsd ipnat.rule and ipf.rule.

Aug 12 18:36:10 fat ipmon[10846]: 18:36:10.288736 ne1 @0:8 p 10.0.0.2,23 -> 172.16.10.2,1078 PR tcp len 20 57 -AP OUT Aug 12 18:36:10 fat ipmon[10846]: 18:36:10.383000 ne1 @0:14 p 172.16.10.2,1078 -> 10.0.0.2,23 PR tcp len 20 52 -A IN Aug 12 18:36:10 fat ipmon[10846]: 18:36:10.383268 ne1 @0:8 p 10.0.0.2,23 -> 172.16.10.2,1078 PR tcp len 20 61 -AP OUT Aug 12 18:36:10 fat ipmon[10846]: 18:36:10.383901 ne1 @0:14 p 172.16.10.2,1078 -> 10.0.0.2,23 PR tcp len 20 61 -AP IN Aug 12 18:36:10 fat ipmon[10846]: 18:36:10.384183 ne1 @0:8 p 10.0.0.2,23 -> 172.16.10.2,1078 PR tcp len 20 52 -A OUT Aug 12 18:36:20 fat ipmon[10846]: 18:36:19.669972 ne1 @0:14 p 172.16.10.2,1081 -> 172.16.10.2,8080 PR tcp len 20 60 -S IN Aug 12 18:36:20 fat ipmon[10846]: 18:36:19.670194 ne1 @0:8 p 172.16.10.2,1081 -> 172.16.10.2,8080 PR tcp len 20 60 -S OUT Aug 12 18:36:23 fat ipmon[10846]: 18:36:22.662614 ne1 @0:14 p 172.16.10.2,1081 -> 172.16.10.2,8080 PR tcp len 20 60 -S IN Aug 12 18:36:23 fat ipmon[10846]: 18:36:22.662824 ne1 @0:8 p 172.16.10.2,1081 -> 172.16.10.2,8080 PR tcp len 20 60 -S OUT

16:57:49.706120 172.16.10.2.1033 > 10.0.0.2.www: S 3993533380:3993533380(0) win 16384  (DF)
16:57:49.706652 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
16:57:49.706940 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2
16:57:50.147092 172.16.10.2.1041 > ns2.dnvr.uswest.net.domain:  5163+ PTR? 2.0.0.10.in-addr.arpa. (39)
16:57:50.216437 ns2.dnvr.uswest.net.domain > 172.16.10.2.1041:  5163 NXDomain 0/1/0 (101)
16:57:50.217518 172.16.10.2.1042 > ns2.dnvr.uswest.net.domain:  5164+ PTR? 2.10.16.172.in-addr.arpa. (42)
16:57:50.280534 ns2.dnvr.uswest.net.domain > 172.16.10.2.1042:  5164 NXDomain 0/1/0 (104)
16:57:51.276034 172.16.10.2.1043 > ns2.dnvr.uswest.net.domain:  5165+ PTR? 1.128.196.206.in-addr.arpa. (44)
16:57:51.340321 ns2.dnvr.uswest.net.domain > 172.16.10.2.1043:  5165* 2/3/3[|domain]
16:57:52.705498 172.16.10.2.1033 > 10.0.0.2.www: S 3993533380:3993533380(0) win 16384  (DF)
16:57:52.705867 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
16:57:52.706127 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2
16:57:55.705382 172.16.10.2.1033 > 10.0.0.2.www: S 3993533380:3993533380(0) win 16384  (DF)
16:57:55.705741 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
16:57:55.705999 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2
16:57:58.705280 172.16.10.2.1033 > 10.0.0.2.www: S 3993533380:3993533380(0) win 16384  (DF)
16:57:58.705692 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
16:57:58.705965 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2

17:37:53.692438 172.16.10.2.1033 > 10.0.0.2.http: S 3993533380:3993533380(0) win 16384  (DF)
17:37:53.693372 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
17:37:53.693670 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2
17:37:54.133450 172.16.10.2.1041 > ns2.dnvr.uswest.net.domain:  5163+ PTR? 2.0.0.10.in-addr.arpa. (39)
17:37:54.203262 ns2.dnvr.uswest.net.domain > 172.16.10.2.1041:  5163 NXDomain 0/1/0 (101)
17:37:54.203902 172.16.10.2.1042 > ns2.dnvr.uswest.net.domain:  5164+ PTR? 2.10.16.172.in-addr.arpa. (42)
17:37:54.267365 ns2.dnvr.uswest.net.domain > 172.16.10.2.1042:  5164 NXDomain 0/1/0 (104)
17:37:55.262448 172.16.10.2.1043 > ns2.dnvr.uswest.net.domain:  5165+ PTR? 1.128.196.206.in-addr.arpa. (44)
17:37:55.327322 ns2.dnvr.uswest.net.domain > 172.16.10.2.1043:  5165* 2/3/3 (196)
17:37:56.692000 172.16.10.2.1033 > 10.0.0.2.http: S 3993533380:3993533380(0) win 16384  (DF)
17:37:56.692722 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
17:37:56.693007 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2
17:37:59.692040 172.16.10.2.1033 > 10.0.0.2.http: S 3993533380:3993533380(0) win 16384  (DF)
17:37:59.692761 172.16.10.2.1033 > 172.16.10.2.8080: S 3993533380:3993533380(0) win 16384  (DF)
17:37:59.693035 10.0.0.2 > 172.16.10.2: icmp: redirect 172.16.10.2 to host 172.16.10.2

rdr fxp0 10.0.0.2/32 port 80 -> 172.16.10.2 port 8080 rdr xl0 10.0.0.2/32 port 80 -> 172.16.10.2 port 8080 rdr ne1 10.0.0.2/32 port 80 -> 172.16.10.2 port 8080 map fxp0 192.168.1.0/24 -> 10.0.0.2/32 proxy port ftp ftp/tcp map fxp0 192.168.1.0/24 -> 10.0.0.2/32 portmap tcp/udp 10000:60000 map fxp0 192.168.1.0/24 -> 10.0.0.2/32 map fxp0 172.16.10.0/24 -> 10.0.0.2/32 proxy port ftp ftp/tcp map fxp0 172.16.10.0/24 -> 10.0.0.2/32 portmap tcp/udp 10000:60000 map fxp0 172.16.10.0/24 -> 10.0.0.2/32

# loopback rules pass out quick on lo0 pass in quick on lo0 # drop itsy bitsy frags block in log quick proto tcp all with short # drop source routed packets block in log quick on fxp0 all with opt lsrr block in log quick on fxp0 all with opt ssrr # don't allow anyone to spoof non-routeable addresses block in log quick on fxp0 from 127.0.0.0/8 to any block in log quick on fxp0 from 192.168.0.0/16 to any #block in log quick on fxp0 from 172.16.0.0/12 to any #block in log quick on fxp0 from 10.0.0.0/8 to any block out log quick on fxp0 from any to 127.0.0.1/8 block out log quick on fxp0 from any to 192.168.0.0/16 #block out log quick on fxp0 from any to 172.16.0.0/12 #block out log quick on fxp0 from any to 10.0.0.0/8 # only allow our machines to connect via ssh pass in quick on fxp0 from 1.1.1.0/24 to any port = 22 # finally lock the rest down with a default deny block in log quick on fxp0 from any to any # and let out-going traffic out and maintain state on established connections # -- The flags S on the keep state is to ensure that state tracking starts # only on the first outbound packet in a tcp session. # unnecessary consumption of state table entries. # -- The flag s only works on the tcp protocol, so three entries are required # to cover all three protocols (tcp, udp, icmp). pass out quick on fxp0 proto tcp from any to any flags S keep state pass out quick on fxp0 proto udp from any to any keep state pass out quick on fxp0 proto icmp from any to any keep state # allow others to use http and https pass in log quick on fxp0 proto tcp from any to any port = 80 flags S/SA pass in quick on fxp0 proto tcp from any to any port = 443 flags S/SA pass in log quick on fxp0 proto udp from any to any port = 53 keep state pass in log quick on fxp0 proto tcp from any to any port = 53 flags S keep state

--Jim

Prev by Date: system won't boot with pcmcia modem card
Next by Date: Re: ISA NICs
Previous by thread: ipnat rdr setup?
Next by thread: USB Keyboard/Mouse on install of 2.9?
Index(es):
- Date
- Thread

Visit your host, monkey.org