Date: Mon, 16 Apr 2001 15:10:42 +0200 From: universe <universe@truemetal.org> To: Nick Rogness <nick@rogness.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd filters redirect port. Message-ID: <3ADAEF52.446E2BA2@truemetal.org> References: <Pine.BSF.4.21.0104152215580.61877-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Rogness wrote: > > On Sun, 15 Apr 2001, universe wrote: > > > hi list, > > > > my freebsd box is acting as a gateway for my internal private network, > > the connection is made with userland ppp (pppoe) and natd. > > > > natd also forwards packets on the external port 81 to a internal > > machine on port 9192. since i changed from isdn to dsl the other day > > the redirect_port doesn't seem to work anymore and natd (?) is > > filtering the tcp port 81. > > > > > natd is started with: natd -n tun0 -dynamic -redirect_port tcp > > 192.168.0.4:9192 81 which forwards every request on tun0 (external > > ethernet card which connects to the dsl modem) on port 81 to the > > internal machine 192.168.0.4 at port 9192. > > > > > however, when i do a portscan from a external machine it shows that > > port 81 is being filtered as soon as i run natd with the > > -redirect_port switch: > > > > (The 1517 ports scanned but not shown below are in state: closed) > > Port State Service > > 22/tcp open ssh > > 80/tcp open http > > 81/tcp filtered hosts2-ns > > 137/tcp filtered netbios-ns > > 138/tcp filtered netbios-dgm > > 139/tcp filtered netbios-ssn > > > > port 81 should be "open", not "filtered". i configured natd to forward > > requests on port 2345 etc. instead but the effect stays the same, > > every port gets filtered. > > > > ipfw list on the gateway which runs natd shows the following: > > > > 00009 deny tcp from any to any 139 in recv tun0 > > 00009 deny tcp from any to any 138 in recv tun0 > > 00009 deny tcp from any to any 137 in recv tun0 > > 00010 divert 8668 ip from any to any via tun0 > > 00011 divert 1234 tcp from any to any out xmit tun0 setup > > 00020 allow ip from any to any > > 65535 deny ip from any to any > > What is rule 11? Is that somehow tied to the PPPoE setup [sorry > not familiar with that setup]? hi nick, rule 11 is required for the "tcpmssd" daemon to work. tcpmssd is a divert program that adjusts outgoing tcp data so that the requested segment size is not greater than the amount allowed by the interface mtu. (quoted from the port description) without the daemon running i can only access a small amount of hosts/websites. this behavior is caused by pppoe (and the faulty routers, of course). however, i removed the rule and shut down tcpmssd to see if it would change something, but the ports still were filtered... any idea? thanks, markus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADAEF52.446E2BA2>