Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 31 Jul 1999 08:54:41 -0400 (EDT)
From:      paz <paz@apriori.net>
To:        Andrew Johns <A_Johns@TurnAround.com.au>
Cc:        "Phil @ MediaOne Budne" <phil@ultimate.com>, freebsd-questions@FreeBSD.ORG
Subject:   RE: ipchains in FreeBSD
Message-ID:  <Pine.BSF.4.10.9907310827490.20256-100000@gw.apriori.net>
In-Reply-To: <001001beda4a$0e51ceb0$4001a8c0@tasajohns.turnaround.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help




On Fri, 30 Jul 1999, Andrew Johns wrote:

: No problem - fire up:
: 'tcpdump -s 1600 -x -w tcp.output'
: and then use something like ethereal to analyse the output, so that you
: can identify where it is failing and thence, why it is so.  Then you'll
: be able to add rules to allow those packets back and forth through your
: firewall...


I resurrected tcpdumps that I did in late May, where I started to lose
hope that I could accomplish what I was trying to do with the firewall
settings in FreeBSD. Note that I'm quite happy with FreeBSD and would
prefer not to muck up my network with another server, and I only run the
Windoze box for compatibility with the M$ world and of late, to play a
rowdy shoot-em-up game on the internet (Delta Force). I've created some
new maps for Delta Force and would like to leave my Windoze box running,
hosting a Delta Force game while I'm not using it, since I have a
full-time internet connection anyway and folks seem to like the new maps
I've generated.

Note that I'm able to run Delta Force on the Windoze box on the internet
by taking the FreeBSD gateway machine off line and use the ISDN terminal
adapter to connect solely to the Windoze box, but that defeats the
porpoise of having a home network - I host a pile of web pages, maintain a
few mail lists and receive email via my FreeBSD gateway and prefer to keep
it that way. It's the routing that seems to need some help, I think!


My config:
FreeBSD 2.2.7;
ISDN Terminal Adapter;
Static IP with my service provider;
domain name name service from ISP;
full-time connection;
local gateway host is the FreeBSD box;
local area net at home uses the gateway to get to the internet;
gateway uses natd to hide local net from internet;
local net uses non-routable addresses, 192.168.xxx.xxx;
my domain name is apriori.net;
my Windoze box is named cpriori.apriori.net;
the FreeBSD gateway box is named gw.apriori.net;
daemons running on gateway host include:
-- natd
-- named
-- ipfw
-- pppd
(There are others, but probably not important for this discussion.)
Also running tcp wrappers.


Here's a dialog I had in late May with my good friend and Unix guru and
mentor, Phil Budne (philb), in an attempt to allow me to keep the FreeBSD
box online while playing Delta Force and "simply" route packets
appropriately from my Windoze box to the internet and conversely...
=============================================================


Here's a tcpdump of the phenomenon, which seems to be pretty consistent:

(...)
18:55:11.397111 webhost.it.earthlink.net.http > cpriori.apriori.net.3874:
F 163:163(0) ack 132 win 64240
18:55:11.397322 cpriori.apriori.net.3874 > webhost.it.earthlink.net.http:
. ack 164 win 8598 (DF)
18:55:11.397831 cpriori.apriori.net.3874 > webhost.it.earthlink.net.http:
F 132:132(0) ack 164 win 8598 (DF)
18:55:11.517978 webhost.it.earthlink.net.http > cpriori.apriori.net.3874:
. ack 133 win 64240
18:55:13.945577 cpriori.apriori.net.3875 > 208.231.90.229.http: S
407936944:407936944(0) win 8192 <mss 1460> (DF)
18:55:14.069681 208.231.90.229.http > cpriori.apriori.net.3875: S
1246151019:1246151019(0) ack 407936945 win 8760 <mss 1460> (DF)
18:55:14.069868 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 1
win 8760 (DF)
18:55:14.070226 cpriori.apriori.net.3875 > 208.231.90.229.http: P 1:86(85)
ack 1 win 8760 (DF)
18:55:14.398626 208.231.90.229.http > cpriori.apriori.net.3875: P
1:513(512) ack 86 win 8675 (DF)
18:55:14.439885 208.231.90.229.http > cpriori.apriori.net.3875: P
513:888(375) ack 86 win 8675 (DF)
18:55:14.440172 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 888
win 7873 (DF)
18:55:14.444106 208.231.90.229.http > cpriori.apriori.net.3875: F
888:888(0) ack 86 win 8675 (DF)
18:55:14.444301 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 889
win 7873 (DF)
18:55:14.444881 cpriori.apriori.net.3875 > 208.231.90.229.http: F 86:86(0)
ack 889 win 7873 (DF)
18:55:14.572664 208.231.90.229.http > cpriori.apriori.net.3875: . ack 87
win 8675 (DF)
18:55:15.394852 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:17.066741 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:18.690095 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:20.310063 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:22.016666 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:23.642707 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24
18:55:25.207092 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24



> : (philb wrote:)
> : It's interesting that you (cpriori) are sending packets that are not
> : being answered, and not the other way around.
>
> (paz wrote/asked:)
> 23:12:29.148877 cpriori.apriori.net.3889 > 38.187.59.46.3568: udp 24
>                                          ^
>                                          |
>                                      outbound?
>
> Well, that's how I'd interpret it. Yes, that's weird.

(philb replied:)
sourchost.sourceport > desthost.destport

(paz asked:)
> What's the "24" at the end mean?

(philb replied:)
Length of the "payload" or "data"


At philb's suggestion, I ran tcpdump with different switches:
(philb wrote:)
: Running tcpdump with "-i ppp0" should
: show you the traffic coming in on the PPP link BEFORE anything is
: filtered out (but after NAT happens to outgoing packets).

(paz sent new results:)
Now we get a three-step pattern:
23:24:40.660996 paz.static.shore.net.3895 > 38.187.59.46.3568: udp 24
23:24:40.886637 38.187.59.46.1033 > paz.static.shore.net.3568: udp 264
23:24:40.886980 paz.static.shore.net > 38.187.59.46: icmp:
paz.static.shore.net udp port 3568 unreachable

(philb interpreted them:)
> Now we get a three-step pattern:
> 23:24:40.660996 paz.static.shore.net.3895 > 38.187.59.46.3568: udp 24

packet from cpriori gets sent after translation from source port 3895
to destination host port 3568

> 23:24:40.886637 38.187.59.46.1033 > paz.static.shore.net.3568: udp 264

destination host replies from a DIFFERENT port, to a port OTHER
than the original source port.  NAT has no way to know the packet   
should be forwarded on to cpriori. so...

> 23:24:40.886980 paz.static.shore.net > 38.187.59.46: icmp:
paz.static.shore.net udp port 3568 unreachable

it sends an ICMP error packet saying it doesn't know what to do with it.

=========================================================

Note that I was able to write some firewall rules to quiet the error
messages appearing at the console, but was never successful in permitting
the two machines (the Windoze box and the Novalogic server) to actually
converse with each other as they intended.

At this point, I became basically lost; don't know how to outsmart what
Delta Force seems to try to do. It seemed that (Linux) ipchains offered
some firewall filtering capabilities which could track the shifting of
(port numbers?) and still maintain the traffic between the intended hosts
in spite of natd, but I have yet to try this, as it involves building a
separate machine with Linux and ipchains and inserting it between my
FreeBSD box and the Terminal Adapter, something not done casually.

For background, in hosting a Delta Force game on the net, the home site of
Delta Force (Novalogic) has a mini-browser which lists games currently
running on their servers as well as games hosted by other computers on the
net (as "public games"). By using that browser, folks are able to locate
your hosted game and establish a connection with you (i.e., start playing
the game your computer is hosting). So there seems to be traffic generated
by the Novalogic servers as well as the other players and your own
machine.


cheers -
-- Philip.

philip zimmermann           paz@apriori.net
www.apriori.net             ayer, ma    usa





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9907310827490.20256-100000>