From owner-freebsd-questions@FreeBSD.ORG Mon May 10 08:36:31 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA4E716A4CE for ; Mon, 10 May 2004 08:36:31 -0700 (PDT) Received: from watcher.puryear-it.com (ip-66-186-248-99.eatel.net [66.186.248.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C46443D54 for ; Mon, 10 May 2004 08:36:30 -0700 (PDT) (envelope-from dap99@i-55.com) Received: from localhost (unknown [127.0.0.1]) by watcher.puryear-it.com (Postfix) with ESMTP id B27E334D1F; Mon, 10 May 2004 10:34:30 -0500 (CDT) Received: from watcher.puryear-it.com ([127.0.0.1]) by localhost (watcher.puryear-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22369-02; Mon, 10 May 2004 10:34:29 -0500 (CDT) Received: from yourqqh4336axf (localhost [127.0.0.1]) by watcher.puryear-it.com (Postfix) with SMTP id DE42434D1E; Mon, 10 May 2004 10:34:28 -0500 (CDT) Message-ID: <016a01c436a4$88e741d0$6501a8c0@yourqqh4336axf> From: "adp" To: , References: Date: Mon, 10 May 2004 10:34:46 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300 X-Virus-Scanned: by amavisd-new Subject: Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 May 2004 15:36:31 -0000 I am using telnet just to see if the port accepts connections. That test works fine internally. We are not running a telnet server. Also, we are telnetting to the pcAnywhere port, not the telnet port. :) ----- Original Message ----- From: "JJB" To: "adp" ; Sent: Friday, May 07, 2004 7:47 AM Subject: RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere > For your telnet test to pcanywhere ports on target Lan pc to work > you have to tell telnet on the target to listen on those ports. > > I believe pcanywhere is one of those applications that imbed the ip > address of the remote and host into the packet data and used by the > application to establish bi-directional packet exchange. This means > that pcanywhere will not work using nated ip address. This is an > common design flaw in many 3rd party software providers > applications, mostly seen in games and ms/windows netmeeting. > Pcanywhere only works over the public internet between two ms/window > boxs that use public routable IP address. It will also work between > two pc on the Lan because Nating only occurs as packet leaves Lan > headed for public internet. > > If you have an range of static public IP address assigned to you by > your ISP then you could assign one of those ip address to the LAN pc > you want pcanywhere to work on and you should be good to go. > > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of adp > Sent: Friday, May 07, 2004 12:37 AM > To: questions@freebsd.org > Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for > pcAnywhere > > This shouldn't be that hard, but I can't get it working. > > I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I > have > bridging enabled between the Internet and DMZ interfaces. > > I now have an internal computer (LAN) that needs to be accessible > via > pcAnywhere. > > I can telnet to the pcAnywhere ports on the internal computer fine > from the > firewall or the LAN. So that works. However, when I configured ipnat > to > forward my pcAnywhere ports a telnet from the Internet just stalls. > > My ipnat configuration: > > # cat /etc/ipnat.conf > > (xl0 = internet, xl1 = lan, xl2 = dmz) > > #################### > # pcAnywhere > # normal nat for office disabled - this is all i have in ipnat.conf > rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631 > rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632 > > And I am allowing in accessing via ipf: > > pass in quick proto tcp from any to public-ip port = 5631 group 200 > pass in quick proto udp from any to public-ip port = 5631 group 200 > pass in quick proto tcp from any to public-ip port = 5632 group 200 > pass in quick proto udp from any to public-ip port = 5632 group 200 > > (If I take these out I see the ipmon block messages, but with these > they go > away, so it's not ipf I don't think.) > > Am I missing something here? This should work! > > A tcpdump. I am remote (remote-client): > > %telnet public-ip 5631 > Trying public-ip... > > (just sits there) > > On the FreeBSD box: > > # tcpdump -n -i xl0 port 5631 > tcpdump: listening on xl0 > 23:26:41.772801 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 0,nop,nop,timestamp > 99416198 0> (DF) [tos 0x10] > 23:26:44.772018 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 0,nop,nop,timestamp > 99416498 0> (DF) [tos 0x10] > 23:26:48.013346 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 0,nop,nop,timestamp > 99416818 0> (DF) [tos 0x10] > 23:26:51.230241 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] > 23:26:54.429267 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] > 23:26:57.596288 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] > 23:27:03.809921 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] > 23:27:16.050057 remote-client.3755 > public-ip.5631: S > 2174885259:2174885259(0) win 57344 (DF) [tos 0x10] > ^C > 48 packets received by filter > 0 packets dropped by kernel > > Oh, and again, I do have bridging enabled between Internet and DMZ: > > My bridge script: > > #!/bin/sh > > echo -n "Enabling bridging: " > if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then > echo "activated." > else > echo "failed." > fi > > echo -n "Enabling bridging between xl0 and xl2 interfaces: " > if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1; > then > echo "activated." > else > echo "failed." > fi > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > >