Date: Thu, 05 Oct 2000 19:54:20 +0200 From: Luke Roberts <luke@roberts.nl> To: freebsd-questions@freebsd.org Cc: Ruslan Ermilov <ru@sunbay.com> Subject: Re: NATD reditect problems for traffic coming from TCP port 41 Message-ID: <5.0.0.25.2.20001005195250.00a24300@pop.roberts.nl>
next in thread | raw e-mail | index | archive | help
From Ruslan Ermilov's keyboard: <snip> >The >redirect_port tcp 192.168.0.8:1024-10026 1024-10026 194.151.107.44:40-9042 >is just a short form of specifying 9003 rules like this: > >redirect_port tcp 192.168.0.8:1024 1024 194.151.107.44:40 >redirect_port tcp 192.168.0.8:1025 1025 194.151.107.44:41 > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >redirect_port tcp 192.168.0.8:1026 1026 194.151.107.44:42 >... >redirect_port tcp 192.168.0.8:10025 10025 194.151.107.44:9041 >redirect_port tcp 192.168.0.8:10026 10026 194.151.107.44:9042 True! (I suppose it is overkill) >I.e., inside libalias(3), they will be stored as 9003 individual rules. >This does mean that natd will do the following redirections, assuming >that 213.73.148.57 is the main aliasing IP: True too! >IN [TCP] [TCP] 194.151.107.44:41 -> 213.73.148.57:1025 > [TCP] 194.151.107.44:41 -> 192.168.0.8:1025 > >and vice versa: > >OUT [TCP] [TCP] 192.168.0.8:1025 -> 194.151.107.44:41 > [TCP] 213.73.148.57:1025 -> 194.151.107.44:41 All completely the way I see it as well. >As for the first redirection, it was probably caused by outgoing >connection from 192.168.0.8:1995 to 194.151.107.44:42. I.e., >the outgoing connection attempt caused > >OUT [TCP] [TCP] 192.168.0.8:1995 -> 194.151.107.44:42 > [TCP] 213.73.148.57:1995 -> 194.151.107.44:42 > >And then the reply packet caused: > >IN [TCP] [TCP] 194.151.107.44:42 -> 213.73.148.57:1995 > [TCP] 194.151.107.44:42 -> 192.168.0.8:1995 Maybe indeed 194.151.107.44:41 is the first outside port to initiate a connection with my inside machine, but this still doesn't explain why the config did work with FreeBSD 3.2 (I am using the same firewall/natd config). Also, With simular rules but diffrent port's and IP numbers I can FTP to an 'indside IP number', People can download Napster stuff from 'inside machines' and ICQ to 'inside machines'. All this traffic is initiated from the outside. The problem realy seems to be with port 41. Also the following ruleset redirects all traffic inwards except for traffic originating from port 41: redirect_proto tcp 192.168.0.8 194.151.107.44 redirect_proto tcp 192.168.0.8 194.151.107.76 redirect_proto tcp 192.168.0.8 193.72.44.45 redirect_proto tcp 192.168.0.8 193.72.44.78 Hope somebody goes "oh of course, its......." Cheers, Luke To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.0.0.25.2.20001005195250.00a24300>