From owner-freebsd-ipfw Tue Jul 31 16:30:58 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 473D837B403 for ; Tue, 31 Jul 2001 16:30:56 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 91860 invoked from network); 31 Jul 2001 23:30:50 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 31 Jul 2001 23:30:50 -0000 Message-ID: <000c01c11a18$d5fe13a0$0d00a8c0@alexus> From: "alexus" To: Subject: pcAnywhere Date: Tue, 31 Jul 2001 19:30:51 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2499.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2499.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i have a windows box behind nat (natd) w/ pcAnywhere 10 is it possible using ipfw somehow access this computer from outside? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 31 20:27:22 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by hub.freebsd.org (Postfix) with ESMTP id ACD2237B4CF for ; Tue, 31 Jul 2001 20:27:09 -0700 (PDT) (envelope-from leclaire@switzcpl.lib.in.us) Received: from socrates.switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by switzcpl.lib.in.us (8.9.3/8.9.3) with ESMTP id WAA03928; Tue, 31 Jul 2001 22:27:07 -0500 (EST) (envelope-from leclaire@switzcpl.lib.in.us) Date: Tue, 31 Jul 2001 22:27:07 -0500 (EST) From: Andre LeClaire To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: pcAnywhere In-Reply-To: <000c01c11a18$d5fe13a0$0d00a8c0@alexus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yes, you can do this using natd's -redirect_port option. The ports you need to redirect are TCP 5631 and UDP 5632. Andre On Tue, 31 Jul 2001, alexus wrote: > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > is it possible using ipfw somehow access this computer from outside? > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 31 20:50: 9 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from grumpy.dyndns.org (user-24-214-76-217.knology.net [24.214.76.217]) by hub.freebsd.org (Postfix) with ESMTP id EFC5337B40A for ; Tue, 31 Jul 2001 20:50:05 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.3/8.11.3) with ESMTP id f713nax74729; Tue, 31 Jul 2001 22:49:36 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200108010349.f713nax74729@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "alexus" Cc: freebsd-ipfw@FreeBSD.ORG From: David Kelly Subject: Re: pcAnywhere In-reply-to: Message from "alexus" of "Tue, 31 Jul 2001 19:30:51 EDT." <000c01c11a18$d5fe13a0$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 31 Jul 2001 22:49:36 -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "alexus" writes: > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > is it possible using ipfw somehow access this computer from outside? Have been told PCanywhere runs on the ssh port, 22. You can always tell ipfw to log your TCP rejects, hit the system with PCanywhere, and see what is logged. Then write a rule to allow it. -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Jul 31 21:15: 4 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by hub.freebsd.org (Postfix) with ESMTP id A837237B403 for ; Tue, 31 Jul 2001 21:15:01 -0700 (PDT) (envelope-from leclaire@switzcpl.lib.in.us) Received: from socrates.switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by switzcpl.lib.in.us (8.9.3/8.9.3) with ESMTP id XAA03988; Tue, 31 Jul 2001 23:14:58 -0500 (EST) (envelope-from leclaire@switzcpl.lib.in.us) Date: Tue, 31 Jul 2001 23:14:58 -0500 (EST) From: Andre LeClaire To: David Kelly Cc: alexus , freebsd-ipfw@FreeBSD.ORG Subject: Re: pcAnywhere In-Reply-To: <200108010349.f713nax74729@grumpy.dyndns.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG It depends on the version or pcAnywhere. Versions 2.0 - 7.51 use TCP port 65301 and UDP port 22. Versions 7.52 - 10.0 use TCP port 5631 and UDP port 5632. Versions 8.x and 9.0 are also supposed to be able to detect the port scheme used by the previous versions and switch over to it. Andre On Tue, 31 Jul 2001, David Kelly wrote: > "alexus" writes: > > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > > > is it possible using ipfw somehow access this computer from outside? > > Have been told PCanywhere runs on the ssh port, 22. > > You can always tell ipfw to log your TCP rejects, hit the system with > PCanywhere, and see what is logged. Then write a rule to allow it. > -- > David Kelly N4HHE, dkelly@hiwaay.net > ===================================================================== > The human mind ordinarily operates at only ten percent of its > capacity -- the rest is overhead for the operating system. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 1 15:39:24 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from nipsi.home.net (dsl-213-023-032-173.arcor-ip.net [213.23.32.173]) by hub.freebsd.org (Postfix) with SMTP id 3B82A37B401 for ; Wed, 1 Aug 2001 15:39:13 -0700 (PDT) (envelope-from HypnotiZer@gmx.net) Received: (qmail 3749 invoked from network); 1 Aug 2001 22:37:25 -0000 Received: from nachpolierer.home.net (HELO nachpolierer) (172.16.1.101) by nipsi.home.net with SMTP; 1 Aug 2001 22:37:25 -0000 Message-ID: <000801c11adb$29da7ff0$650110ac@nachpolierer> From: "Dennis Berger" To: Subject: ipfw dynamic-rules Date: Thu, 2 Aug 2001 00:41:54 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C11AEB.ED4DF330" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, following devices are attached. tun0: dynamic-IP rl0:10.0.0.148 <-- is connected to the adsl-modem xl0:172.16.1.1 Ok now here is my Problem I have IPFW set up with the following ruleset ------------------------------------------------------------------ fwcmd=3D"/sbin/ipfw" $fwcmd -f flush $fwcmd add 20 pass all from any to any via lo0 $fwcmd add 30 pass all from any to any via rl0 $fwcmd add 40 pass all from any to any via xl0 $fwcmd add 50 deny log all from 192.168.0.0/16 to any in via tun0 $fwcmd add 60 deny log all from 172.16.0.0/12 to any in via tun0 $fwcmd add 70 deny log all from 10.0.0.0/8 to any in via tun0 $fwcmd add 80 deny log all from 127.0.0.0/8 to any in via tun0 $fwcmd add 90 deny log all from 0.0.0.0/8 to any in via tun0 $fwcmd add 100 deny log all from 169.254.0.0/16 to any in via tun0 $fwcmd add 110 deny log all from 192.0.2.0/24 to any in via tun0 $fwcmd add 120 deny log all from 204.152.64.0/23 to any in via tun0 $fwcmd add 130 deny log all from 224.0.0.0/3 to any in via tun0 $fwcmd add 131 count tcp from any to any via tun0 $fwcmd add 132 count udp from any to any 27000-28000 out via tun0=20 $fwcmd add 133 count tcp from any 1024-65535 to any 21 in via tun0 $fwcmd add 134 count tcp from any 20 to any 1024-65535 out via tun0=20 $fwcmd add 135 count tcp from any 49153-65535 to any 1024-65535 out via = tun0=20 $fwcmd add 136 count tcp from any to any 80 in via tun0=20 $fwcmd add 136 count tcp from any to any 80 out via tun0 $fwcmd add 140 pipe 1 tcp from any to any 22,1494 via tun0=20 $fwcmd add 141 pipe 2 udp from any to any 27000-28000 out via tun0 $fwcmd add 142 pipe 3 tcp from any to any in via tun0 $fwcmd add 143 pipe 4 tcp from any to any out via tun0=20 $fwcmd pipe 1 config bandwidth 0 queue 10Kbyte $fwcmd pipe 2 config bandwidth 0 queue 20Kbyte $fwcmd pipe 3 config bandwidth 728Kbit/s queue 50Kbyte $fwcmd pipe 4 config bandwidth 96Kbit/s queue 10Kbyte=20 $fwcmd add 149 divert natd ip from any to any via tun0=20 $fwcmd add 160 check-state $fwcmd add 200 pass icmp from any to any in via tun0 icmptypes 0,11 $fwcmd add 210 pass tcp from any to any 22 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 220 pass tcp from any to any 80 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 230 pass tcp from any to any 443 in via tun0 keep-state = tcpflags syn=20 $fwcmd add 240 pass tcp from any to any 21 in via tun0 keep-state = tcpflags syn $fwcmd add 250 pass tcp from any 1024-65535 to any 49153-65535 in via = tun0 keep-state tcpflags syn $fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0=20 $fwcmd add 270 deny log tcp from any to any 6666-6669 out via tun0=20 $fwcmd add 280 pass tcp from any to any out via tun0 setup keep-state=20 $fwcmd add 290 pass udp from any to any out via tun0 keep-state=20 $fwcmd add 300 pass icmp from any to any out via tun0 keep-state=20 $fwcmd add 65530 deny log all from any to any=20 ------------------------------------------------------------------- and the following natd.cf -------------------------------------- redirect_port udp 127.0.0.1:27952 192.246.40.56:27952 use_sockets yes unregistered_only no interface tun0 dynamic yes same_ports yes punch_fw 500:100 -------------------------------------- Ok when a packet tries to go out it passes the divert rule and gets = rewitten now it passes rewritten with my external IP the keep-state = rule. This rule add a dynamic rule like this=20 00280 2 96 (T 6, # 49) ty 0 tcp, 213.23.32.173 4264 <-> 216.239.35.100 = 80 thats ok. now the packet from externalhost come back with source ip = 216.239.35.100 and destination IP 213.32.23.173 which is my EXTERNAL ip. = it passes the ruleset and gets rewritten by the divert rule to source-IP = 216.239.35.100 and Destination-IP 172.16.1.101(this is my client on = LAN). But let us remeber which was the dynamic rule created by the = keep-state one. So the packet rewritten by the divert rule CAN'T pass = the dynamic rule created by the keep-state rule. Aug 2 00:31:38 Nipsi /kernel: ipfw: 65530 Deny TCP 216.136.35.100:80 = 172.16.1.101:4262 in via tun0 How could I fix this, or which is the clean implementation of keep-state = rules in combination with divert rules ? ------=_NextPart_000_0005_01C11AEB.ED4DF330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
following devices are = attached.
 
tun0: dynamic-IP
rl0:10.0.0.148 <--=20 is connected to the adsl-modem
xl0:172.16.1.1
 
Ok now here is my Problem I have IPFW = set up with=20 the following ruleset
----------------------------------------------------------------= --
fwcmd=3D"/sbin/ipfw"
 
$fwcmd -f flush
$fwcmd add 20 pass = all from any=20 to any via lo0
$fwcmd add 30 pass all from any to any via = rl0
$fwcmd add=20 40 pass all from any to any via xl0
 
$fwcmd add 50 deny log all from = 192.168.0.0/16 to=20 any in via tun0
$fwcmd add 60 deny log all from 172.16.0.0/12 to any = in via=20 tun0
$fwcmd add 70 deny log all from 10.0.0.0/8 to any in via = tun0
$fwcmd=20 add 80 deny log all from 127.0.0.0/8 to any in via tun0
$fwcmd add 90 = deny=20 log all from 0.0.0.0/8 to any in via tun0
$fwcmd add 100 deny log all = from=20 169.254.0.0/16 to any in via tun0
$fwcmd add 110 deny log all from=20 192.0.2.0/24 to any in via tun0
$fwcmd add 120 deny log all from=20 204.152.64.0/23 to any in via tun0
$fwcmd add 130 deny log all from=20 224.0.0.0/3 to any in via tun0
 
$fwcmd add 131 count tcp from any to = any via=20 tun0
$fwcmd add 132 count udp from any to any 27000-28000 out via = tun0=20
$fwcmd add 133 count tcp from any 1024-65535 to any 21 in via = tun0
$fwcmd=20 add 134 count tcp from any 20 to any 1024-65535 out via tun0
$fwcmd = add 135=20 count tcp from any 49153-65535 to any 1024-65535 out via tun0
$fwcmd = add 136=20 count tcp from any to any 80 in via tun0
$fwcmd add 136 count tcp = from any=20 to any 80 out via tun0
 
$fwcmd add 140 pipe 1 tcp from any to = any 22,1494=20 via tun0
$fwcmd add 141 pipe 2 udp from any to any 27000-28000 out = via=20 tun0
$fwcmd add 142 pipe 3 tcp from any to any in via tun0
$fwcmd = add 143=20 pipe 4 tcp from any to any out via tun0
$fwcmd pipe 1 config = bandwidth 0=20 queue 10Kbyte
$fwcmd pipe 2 config bandwidth 0 queue = 20Kbyte
$fwcmd pipe 3=20 config bandwidth 728Kbit/s queue 50Kbyte
$fwcmd pipe 4 config = bandwidth=20 96Kbit/s queue 10Kbyte
 
$fwcmd add 149 divert natd ip from any = to any via=20 tun0
$fwcmd add 160 check-state
 
$fwcmd add 200 pass icmp from any to = any in via=20 tun0 icmptypes 0,11
$fwcmd add 210 pass tcp from any to any 22 in via = tun0=20 keep-state tcpflags syn
$fwcmd add 220 pass tcp from any to any 80 = in via=20 tun0 keep-state tcpflags syn
$fwcmd add 230 pass tcp from any to any = 443 in=20 via tun0 keep-state tcpflags syn
$fwcmd add 240 pass tcp from any to = any 21=20 in via tun0 keep-state tcpflags syn
$fwcmd add 250 pass tcp from any=20 1024-65535 to any 49153-65535  in via tun0 keep-state tcpflags=20 syn
$fwcmd add 260 deny udp from any to 192.246.40.56 out via tun0 =
$fwcmd=20 add 270 deny log tcp from any to any 6666-6669 out via tun0
$fwcmd = add 280=20 pass tcp from any to any out via tun0 setup keep-state
$fwcmd add = 290 pass=20 udp from any to any out via tun0 keep-state
$fwcmd add 300 pass icmp = from=20 any to any out via tun0 keep-state
$fwcmd add 65530 deny log all = from any to=20 any
----------------------------------------------------------------= ---
and the following natd.cf
--------------------------------------
redirect_port udp 127.0.0.1:27952=20 192.246.40.56:27952
use_sockets yes
unregistered_only = no
interface=20 tun0
dynamic yes
same_ports yes
punch_fw 500:100
--------------------------------------
Ok when a packet tries to go out it = passes the=20 divert rule and gets rewitten now it passes rewritten with my external = IP the=20 keep-state rule. This rule add a dynamic rule like this
 
00280 2 96 (T 6, # 49) ty 0 tcp, = 213.23.32.173 4264=20 <-> 216.239.35.100 80
 
thats ok. now the packet = from externalhost=20 come back with source ip 216.239.35.100 and destination IP 213.32.23.173 = which=20 is my EXTERNAL ip. it passes the ruleset and gets rewritten by the = divert rule=20 to source-IP 216.239.35.100 and Destination-IP 172.16.1.101(this is my = client on=20 LAN). But let us remeber which was the dynamic rule created by the = keep-state=20 one. So the packet rewritten by the divert rule CAN'T pass the dynamic = rule=20 created by the keep-state rule.
 
Aug  2 00:31:38 Nipsi /kernel: = ipfw: 65530=20 Deny TCP 216.136.35.100:80 172.16.1.101:4262 in via tun0
 
How could I fix this, or which is the = clean=20 implementation of keep-state rules in combination with divert = rules=20 ?
 
 
------=_NextPart_000_0005_01C11AEB.ED4DF330-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 1 16:28:35 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id 5E1A337B406 for ; Wed, 1 Aug 2001 16:28:29 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 1061 invoked from network); 1 Aug 2001 23:28:27 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 1 Aug 2001 23:28:27 -0000 Message-ID: <009701c11ae1$ab2a6290$0d00a8c0@alexus> From: "alexus" To: "Andre LeClaire" Cc: References: Subject: Re: pcAnywhere Date: Wed, 1 Aug 2001 19:28:28 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i understand that;) which command should i use in order to get it to work? ----- Original Message ----- From: "Andre LeClaire" To: "alexus" Cc: Sent: Tuesday, July 31, 2001 11:27 PM Subject: Re: pcAnywhere > Yes, you can do this using natd's -redirect_port option. The ports > you need to redirect are TCP 5631 and UDP 5632. > > Andre > > > On Tue, 31 Jul 2001, alexus wrote: > > > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > > > is it possible using ipfw somehow access this computer from outside? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 1 18:38:23 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from grumpy.dyndns.org (user-24-214-76-217.knology.net [24.214.76.217]) by hub.freebsd.org (Postfix) with ESMTP id DA51B37B401 for ; Wed, 1 Aug 2001 18:38:17 -0700 (PDT) (envelope-from dkelly@grumpy.dyndns.org) Received: from localhost (localhost [127.0.0.1]) by grumpy.dyndns.org (8.11.3/8.11.3) with ESMTP id f721bnx84229; Wed, 1 Aug 2001 20:37:49 -0500 (CDT) (envelope-from dkelly@grumpy.dyndns.org) Message-Id: <200108020137.f721bnx84229@grumpy.dyndns.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: "alexus" Cc: freebsd-ipfw@FreeBSD.ORG From: David Kelly Subject: Re: pcAnywhere In-reply-to: Message from "alexus" of "Wed, 01 Aug 2001 19:28:51 EDT." <009d01c11ae1$b95f2a30$0d00a8c0@alexus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 01 Aug 2001 20:37:49 -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "alexus" writes: > how would i do that? If your ipfw rules are derived from the standard FreeBSD /etc/rc.firewall then the last rule applied is probably the one blocking pcAnywhere: ${fwcmd} add deny ip from any to any so add the word "log" as shown below: ${fwcmd} add deny log ip from any to any Then "ipfw -a list" from the shell will show your current rules and how many hits on each rule. OK, a bit easier from the top. Make sure ipfw is running and discover what rules are being applied at this moment: ipfw -a list Study the output of the above for whatever rule you suspect is blocking pcAnywhere. In my case its probably this one (have deleted the rest): 02400 7319 938531 deny log ip from any to any But as you can see I'm already logging it. If I wasn't then without messing with /etc/rc.firewall (or where ever your rules come from) we could manually insert a rule in front of the above on the fly without hurting anything in progress (no reboot, also assuming ipfw logging is enabled): ipfw add 2390 deny log ip from any to any Then "ipfw -a list" might show (once again I've only cut/pasted the lines which apply to our discussion): 02390 0 0 deny log ip from any to any 02400 7320 938859 deny log ip from any to any Now, when pcAnywhere hits your system and tries to get thru you should see something about it in /var/log/security. Here is the closest thing I can find at the moment in my log: Aug 1 20:24:51 grumpy /kernel: ipfw: 2400 Deny UDP 24.214.56.96:50329 24.214.63.26:67 in via fxp0 The above says port 50329 at 24.214.56.96 tried UDP to my port 67. You'll find something like that telling you what the pcAnywhere is trying to get thru. You'll know its pcAnywhere because you know the IP address of the PC. Others have already said pcAnywhere uses a range of ports, and the range depends on what version it is. Once you have found where the blockage is you can manually add/delete ipfw rules one at a time from the shell command line as we did above. I'm going to clean up my mess: ipfw delete 2390 -- David Kelly N4HHE, dkelly@hiwaay.net ===================================================================== The human mind ordinarily operates at only ten percent of its capacity -- the rest is overhead for the operating system. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Aug 1 19:55:34 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by hub.freebsd.org (Postfix) with ESMTP id A5C9E37B403 for ; Wed, 1 Aug 2001 19:55:31 -0700 (PDT) (envelope-from leclaire@switzcpl.lib.in.us) Received: from socrates.switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by switzcpl.lib.in.us (8.9.3/8.9.3) with ESMTP id VAA05763; Wed, 1 Aug 2001 21:55:20 -0500 (EST) (envelope-from leclaire@switzcpl.lib.in.us) Date: Wed, 1 Aug 2001 21:55:20 -0500 (EST) From: Andre LeClaire To: alexus Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: pcAnywhere In-Reply-To: <009701c11ae1$ab2a6290$0d00a8c0@alexus> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG The natd man page really explains it pretty well (even has a couple of examples). Say, for example, your inside machine's IP address is 192.168.0.1, then you would add to /etc/natd.conf: redirect_port tcp 192.168.0.1:5631 5631 redirect_port udp 192.168.0.1:5632 5632 then add "-f /etc/natd.conf" to the natd flags in /etc/rc.conf (if you haven't already done so). Reboot, and you're ready to go! Andre On Wed, 1 Aug 2001, alexus wrote: > i understand that;) > > which command should i use in order to get it to work? > > > Yes, you can do this using natd's -redirect_port option. The ports > > you need to redirect are TCP 5631 and UDP 5632. > > > > Andre > > > > > > On Tue, 31 Jul 2001, alexus wrote: > > > > > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > > > > > is it possible using ipfw somehow access this computer from outside? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Aug 2 15:51:57 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from db.nexgen.com (db.nexgen.com [66.92.98.149]) by hub.freebsd.org (Postfix) with SMTP id B35E737B403 for ; Thu, 2 Aug 2001 15:51:44 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 10439 invoked from network); 2 Aug 2001 22:51:47 -0000 Received: from localhost.nexgen.com (HELO alexus) (root@127.0.0.1) by localhost.nexgen.com with SMTP; 2 Aug 2001 22:51:47 -0000 Message-ID: <000901c11ba5$b2f6ff50$0d00a8c0@alexus> From: "alexus" To: "Andre LeClaire" Cc: References: Subject: Re: pcAnywhere Date: Thu, 2 Aug 2001 18:51:42 -0400 Organization: NexGen MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2526.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2526.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i dont' have /etc/natd.conf if i only put those lines that you gave me will my NAT work? ----- Original Message ----- From: "Andre LeClaire" To: "alexus" Cc: Sent: Wednesday, August 01, 2001 10:55 PM Subject: Re: pcAnywhere > The natd man page really explains it pretty well (even has a couple of > examples). Say, for example, your inside machine's IP address is > 192.168.0.1, then you would add to /etc/natd.conf: > > redirect_port tcp 192.168.0.1:5631 5631 > redirect_port udp 192.168.0.1:5632 5632 > > then add "-f /etc/natd.conf" to the natd flags in /etc/rc.conf (if you > haven't already done so). Reboot, and you're ready to go! > > Andre > > > On Wed, 1 Aug 2001, alexus wrote: > > > i understand that;) > > > > which command should i use in order to get it to work? > > > > > Yes, you can do this using natd's -redirect_port option. The ports > > > you need to redirect are TCP 5631 and UDP 5632. > > > > > > Andre > > > > > > > > > On Tue, 31 Jul 2001, alexus wrote: > > > > > > > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > > > > > > > is it possible using ipfw somehow access this computer from outside? > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Aug 3 0:20:41 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194]) by hub.freebsd.org (Postfix) with ESMTP id ECF2337B414 for ; Fri, 3 Aug 2001 00:20:36 -0700 (PDT) (envelope-from so@server.i-clue.de) Received: from i-clue.de (automatix.i-clue.de [192.168.0.112]) by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id JAA32138; Fri, 3 Aug 2001 09:28:51 +0200 Message-ID: <3B6A5129.406F6F4B@i-clue.de> Date: Fri, 03 Aug 2001 09:22:17 +0200 From: Christoph Sold Reply-To: so@server.i-clue.de X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: de,en MIME-Version: 1.0 To: alexus Cc: Andre LeClaire , freebsd-ipfw@FreeBSD.ORG Subject: Re: pcAnywhere References: <000901c11ba5$b2f6ff50$0d00a8c0@alexus> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG alexus wrote: > > i dont' have /etc/natd.conf > > if i only put those lines that you gave me will my NAT work? /etc/natd.conf is not needed in most cases, because the default settings will work out of the box for most users. Just create the file, and put the redirect directives in. HTH -Christoph Sold > ----- Original Message ----- > From: "Andre LeClaire" > > The natd man page really explains it pretty well (even has a couple of > > examples). Say, for example, your inside machine's IP address is > > 192.168.0.1, then you would add to /etc/natd.conf: > > > > redirect_port tcp 192.168.0.1:5631 5631 > > redirect_port udp 192.168.0.1:5632 5632 > > > > then add "-f /etc/natd.conf" to the natd flags in /etc/rc.conf (if you > > haven't already done so). Reboot, and you're ready to go! > > > > On Wed, 1 Aug 2001, alexus wrote: > > > > > i understand that;) > > > > > > which command should i use in order to get it to work? > > > > > > > Yes, you can do this using natd's -redirect_port option. The ports > > > > you need to redirect are TCP 5631 and UDP 5632. > > > > > > > > On Tue, 31 Jul 2001, alexus wrote: > > > > > > > > > i have a windows box behind nat (natd) w/ pcAnywhere 10 > > > > > > > > > > is it possible using ipfw somehow access this computer from outside? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message