[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Weird Firewall Behavior with "Host unreachable" Messages (3.1)
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Weird Firewall Behavior with "Host unreachable" Messages (3.1)
- From: Anthony Schlemmer <aschlemm_(_at_)_attbi_(_dot_)_com>
- Date: Fri, 27 Sep 2002 00:15:19 -0700
- Organization: AT&T Broadband
I've seen cases where certain programs expect to send data back on
specific port(s) which doesn't work when a system is behind a firewall
or proxy server. I went to the realtick.com website and did a search on
the word "firewall" and this is what I found:
http://www.realtick.com/v2_getpage.asp?subnav=true&page=supp_faqs_tech_0321
Is this applicable to you?
Regards,
Tony
On Thursday 26 September 2002 22:32 pm, Jason Haag wrote:
> Hi,
>
> I have a really weird problem with an application called "RealTick"
> (www.realtick.com). It includes an authentication step, that always
> time out when behind an OpenBSD 3.1-stable (August 2002, GENERIC
> kernel) firewall. The client tries to connect to a set of
> authentication servers. The client is not able to connect to any of
> them.
>
> It does work when plugging the client directly on the public Internet
> or when using a NAT box based on some flavor of Linux that is old and
> stinky.
>
> I did some tcpdumps on both interfaces of the firewall (see below), I
> see the traffic flowing through, but on the internal interface I get
> "icmp: host a.b.c.d unreachable" messages right before the return
> packet from exactly that host comes through.
>
> For troubleshooting, I have disabled the ruleset and only left NAT. I
> get the same result as with the ruleset.
>
> If anyone has any insight on what parameters I could try to adjust, I
> am happy for any help you can offer.
>
> Thanks,
> -Jason
>
> pf.conf is empty
>
> Nat.conf:
> =====
> rdr on de0 from 192.168.0.4 to any port 21 -> 127.0.0.1 port 8081
> binat on ep0 from 192.168.0.4 to any -> PublicIP2
> binat on ep0 from 192.168.0.6 to any -> PublicIP3
> binat on ep0 from 192.168.0.102 to any -> PublicIP4
>
> # FTP proxy
> rdr on de0 from any to any port 21 -> 127.0.0.1 port 8081
>
> # standard NAT mappings
> nat on ep0 from 192.168.0.0/24 to any -> PublicIP1
> =====
>
> On the internal interface (192.168.0.1):
> =====
> tcpdump: listening on de0
> 00:41:20.332258 192.168.0.101.2341 > 63.75.60.179.1724: S
> 978684598:978684598(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:41:20.332570 192.168.0.1 > 192.168.0.101: icmp: host 63.75.60.179
> unreachable
> 00:41:21.262762 63.75.60.179.1724 > 192.168.0.101.2341: S
> 627216114:627216114(0) ack 978622199 win 8760 <mss 1460> (DF)
> 00:41:21.263046 192.168.0.101.2341 > 63.75.60.179.1724: R
> 978622199:978622199(0) win 0
> 00:41:21.263335 192.168.0.1 > 192.168.0.101: icmp: host 63.75.60.179
> unreachable
> 00:41:34.484143 63.75.60.179.1724 > 192.168.0.101.2341: S
> 627216114:627216114(0) ack 978622199 win 8760 <mss 1460> (DF)
> 00:41:34.484494 192.168.0.101.2341 > 63.75.60.179.1724: R
> 978622199:978622199(0) win 0
> 00:41:34.484804 192.168.0.1 > 192.168.0.101: icmp: host 63.75.60.179
> unreachable
> 00:42:02.396012 192.168.0.101.2342 > 63.75.61.78.1838: S
> 991481764:991481764(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.444905 63.75.61.78.1838 > 192.168.0.101.2342: S
> 26369892:26369892(0) ack 991481765 win 8760 <mss 1460> (DF)
> 00:42:02.445212 192.168.0.101.2342 > 63.75.61.78.1838: . ack 1 win
> 64240 (DF)
> 00:42:02.445501 192.168.0.101.2342 > 63.75.61.78.1838: P 1:23(22) ack
> 1 win 64240 (DF)
> 00:42:02.494121 63.75.61.78.1838 > 192.168.0.101.2342: P 1:6(5) ack
> 23 win 8738 (DF)
> 00:42:02.494462 192.168.0.101.2342 > 63.75.61.78.1838: F 23:23(0) ack
> 6 win 64235 (DF)
> 00:42:02.494974 63.75.61.78.1838 > 192.168.0.101.2342: F 6:6(0) ack
> 23 win 8738 (DF)
> 00:42:02.495203 192.168.0.101.2342 > 63.75.61.78.1838: . ack 7 win
> 64235 (DF)
> 00:42:02.498553 192.168.0.101.2343 > 63.75.61.78.1724: S
> 991562794:991562794(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.499792 192.168.0.101.2343 > 63.75.61.78.1724: S
> 991625827:991625827(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.541715 63.75.61.78.1838 > 192.168.0.101.2342: . ack 24 win
> 8738 (DF)
> 00:42:02.546656 63.75.61.78.1724 > 192.168.0.101.2343: . ack
> 991562795 win 8760 (DF)
> 00:42:02.546920 192.168.0.101.2343 > 63.75.61.78.1724: R
> 991562795:991562795(0) win 0
> 00:42:02.547275 192.168.0.1 > 192.168.0.101: icmp: host 63.75.61.78
> unreachable
> 00:42:02.547541 63.75.61.78.1724 > 192.168.0.101.2343: S
> 26369900:26369900(0) ack 991562795 win 8760 <mss 1460> (DF)
> 00:42:02.547733 192.168.0.101.2343 > 63.75.61.78.1724: R
> 991562795:991562795(0) win 0
> 00:42:02.548015 192.168.0.1 > 192.168.0.101: icmp: host 63.75.61.78
> unreachable
> 00:42:05.495947 192.168.0.101.2343 > 63.75.61.78.1724: S
> 991625827:991625827(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:05.496511 192.168.0.1 > 192.168.0.101: icmp: host 63.75.61.78
> unreachable
> 00:42:05.521803 63.75.61.78.1724 > 192.168.0.101.2343: S
> 26369900:26369900(0) ack 991562795 win 8760 <mss 1460> (DF)
> 00:42:05.522043 192.168.0.101.2343 > 63.75.61.78.1724: R
> 991562795:991562795(0) win 0
> 00:42:05.522391 192.168.0.1 > 192.168.0.101: icmp: host 63.75.61.78
> unreachable
> =====
>
> On the external interface:
> # tcpdump -ni ep0 net 63.75.0.0/16
> =====
> tcpdump: listening on ep0
> 00:42:02.396233 MyPublicIP.52811 > 63.75.61.78.1838: S
> 991481764:991481764(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.444633 63.75.61.78.1838 > MyPublicIP.52811: S
> 26369892:26369892(0) ack 991481765 win 8760 <mss 1460> (DF)
> 00:42:02.445386 MyPublicIP.52811 > 63.75.61.78.1838: . ack 1 win
> 64240 (DF) 00:42:02.445637 MyPublicIP.52811 > 63.75.61.78.1838: P
> 1:23(22) ack 1 win 64240 (DF)
> 00:42:02.493833 63.75.61.78.1838 > MyPublicIP.52811: P 1:6(5) ack 23
> win 8738 (DF)
> 00:42:02.494641 MyPublicIP.52811 > 63.75.61.78.1838: F 23:23(0) ack 6
> win 64235 (DF)
> 00:42:02.494732 63.75.61.78.1838 > MyPublicIP.52811: F 6:6(0) ack 23
> win 8738 (DF)
> 00:42:02.495372 MyPublicIP.52811 > 63.75.61.78.1838: . ack 7 win
> 64235 (DF) 00:42:02.498741 MyPublicIP.58656 > 63.75.61.78.1724: S
> 991562794:991562794(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.499960 MyPublicIP.58656 > 63.75.61.78.1724: S
> 991625827:991625827(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
> 00:42:02.541440 63.75.61.78.1838 > MyPublicIP.52811: . ack 24 win
> 8738 (DF) 00:42:02.546415 63.75.61.78.1724 > MyPublicIP.58656: . ack
> 991562795 win 8760 (DF)
> 00:42:02.547322 63.75.61.78.1724 > MyPublicIP.58656: S
> 26369900:26369900(0) ack 991562795 win 8760 <mss 1460> (DF)
> 00:42:05.521502 63.75.61.78.1724 > MyPublicIP.58656: S
> 26369900:26369900(0) ack 991562795 win 8760 <mss 1460> (DF)
> 00:42:11.528873 63.75.61.78.1724 > MyPublicIP.58656: S
> 26369900:26369900(0) ack 991562795 win 8760 <mss 1460> (DF)
> =====
--
Anthony Schlemmer
aschlemm_(_at_)_attbi_(_dot_)_com
Adult, n.:
One old enough to know better.
Visit your host, monkey.org