Date: Sun, 01 Aug 1999 14:40:13 -0500 From: "Paul R. Petitt" <prpetitt@theshop.net> To: paz <paz@apriori.net> Cc: Andrew Johns <A_Johns@TurnAround.com.au>, "Phil @ MediaOne Budne" <phil@ultimate.com>, freebsd-questions@FreeBSD.ORG Subject: RE: ipchains in FreeBSD Message-ID: <4.2.0.58.19990801143611.00a33220@mail.theshop.net> In-Reply-To: <Pine.BSF.4.10.9907310827490.20256-100000@gw.apriori.net> References: <001001beda4a$0e51ceb0$4001a8c0@tasajohns.turnaround.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
I would suggest getting an isdn router such as the ascend pipeline 50 or 75 if indeed that is how your full time connection exists, then which ever boxes are available (I am assuming that means up and running) will still be connected to the internet even if the bsd box isn't (this further assumes that each box has it's own IP address ie no natd or aliasing in use). At 08:54 AM 7/31/99 -0400, paz wrote: >On Fri, 30 Jul 1999, Andrew Johns wrote: > >: No problem - fire up: >: 'tcpdump -s 1600 -x -w tcp.output' >: and then use something like ethereal to analyse the output, so that you >: can identify where it is failing and thence, why it is so. Then you'll >: be able to add rules to allow those packets back and forth through your >: firewall... > > >I resurrected tcpdumps that I did in late May, where I started to lose >hope that I could accomplish what I was trying to do with the firewall >settings in FreeBSD. Note that I'm quite happy with FreeBSD and would >prefer not to muck up my network with another server, and I only run the >Windoze box for compatibility with the M$ world and of late, to play a >rowdy shoot-em-up game on the internet (Delta Force). I've created some >new maps for Delta Force and would like to leave my Windoze box running, >hosting a Delta Force game while I'm not using it, since I have a >full-time internet connection anyway and folks seem to like the new maps >I've generated. > >Note that I'm able to run Delta Force on the Windoze box on the internet >by taking the FreeBSD gateway machine off line and use the ISDN terminal >adapter to connect solely to the Windoze box, but that defeats the >porpoise of having a home network - I host a pile of web pages, maintain a >few mail lists and receive email via my FreeBSD gateway and prefer to keep >it that way. It's the routing that seems to need some help, I think! > > >My config: >FreeBSD 2.2.7; >ISDN Terminal Adapter; >Static IP with my service provider; >domain name name service from ISP; >full-time connection; >local gateway host is the FreeBSD box; >local area net at home uses the gateway to get to the internet; >gateway uses natd to hide local net from internet; >local net uses non-routable addresses, 192.168.xxx.xxx; >my domain name is apriori.net; >my Windoze box is named cpriori.apriori.net; >the FreeBSD gateway box is named gw.apriori.net; >daemons running on gateway host include: >-- natd >-- named >-- ipfw >-- pppd >(There are others, but probably not important for this discussion.) >Also running tcp wrappers. > > >Here's a dialog I had in late May with my good friend and Unix guru and >mentor, Phil Budne (philb), in an attempt to allow me to keep the FreeBSD >box online while playing Delta Force and "simply" route packets >appropriately from my Windoze box to the internet and conversely... >============================================================= > > >Here's a tcpdump of the phenomenon, which seems to be pretty consistent: > >(...) >18:55:11.397111 webhost.it.earthlink.net.http > cpriori.apriori.net.3874: >F 163:163(0) ack 132 win 64240 >18:55:11.397322 cpriori.apriori.net.3874 > webhost.it.earthlink.net.http: >. ack 164 win 8598 (DF) >18:55:11.397831 cpriori.apriori.net.3874 > webhost.it.earthlink.net.http: >F 132:132(0) ack 164 win 8598 (DF) >18:55:11.517978 webhost.it.earthlink.net.http > cpriori.apriori.net.3874: >. ack 133 win 64240 >18:55:13.945577 cpriori.apriori.net.3875 > 208.231.90.229.http: S >407936944:407936944(0) win 8192 <mss 1460> (DF) >18:55:14.069681 208.231.90.229.http > cpriori.apriori.net.3875: S >1246151019:1246151019(0) ack 407936945 win 8760 <mss 1460> (DF) >18:55:14.069868 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 1 >win 8760 (DF) >18:55:14.070226 cpriori.apriori.net.3875 > 208.231.90.229.http: P 1:86(85) >ack 1 win 8760 (DF) >18:55:14.398626 208.231.90.229.http > cpriori.apriori.net.3875: P >1:513(512) ack 86 win 8675 (DF) >18:55:14.439885 208.231.90.229.http > cpriori.apriori.net.3875: P >513:888(375) ack 86 win 8675 (DF) >18:55:14.440172 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 888 >win 7873 (DF) >18:55:14.444106 208.231.90.229.http > cpriori.apriori.net.3875: F >888:888(0) ack 86 win 8675 (DF) >18:55:14.444301 cpriori.apriori.net.3875 > 208.231.90.229.http: . ack 889 >win 7873 (DF) >18:55:14.444881 cpriori.apriori.net.3875 > 208.231.90.229.http: F 86:86(0) >ack 889 win 7873 (DF) >18:55:14.572664 208.231.90.229.http > cpriori.apriori.net.3875: . ack 87 >win 8675 (DF) >18:55:15.394852 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:17.066741 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:18.690095 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:20.310063 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:22.016666 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:23.642707 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 >18:55:25.207092 cpriori.apriori.net.3876 > 38.187.59.46.3568: udp 24 > > > > > : (philb wrote:) > > : It's interesting that you (cpriori) are sending packets that are not > > : being answered, and not the other way around. > > > > (paz wrote/asked:) > > 23:12:29.148877 cpriori.apriori.net.3889 > 38.187.59.46.3568: udp 24 > > ^ > > | > > outbound? > > > > Well, that's how I'd interpret it. Yes, that's weird. > >(philb replied:) >sourchost.sourceport > desthost.destport > >(paz asked:) > > What's the "24" at the end mean? > >(philb replied:) >Length of the "payload" or "data" > > >At philb's suggestion, I ran tcpdump with different switches: >(philb wrote:) >: Running tcpdump with "-i ppp0" should >: show you the traffic coming in on the PPP link BEFORE anything is >: filtered out (but after NAT happens to outgoing packets). > >(paz sent new results:) >Now we get a three-step pattern: >23:24:40.660996 paz.static.shore.net.3895 > 38.187.59.46.3568: udp 24 >23:24:40.886637 38.187.59.46.1033 > paz.static.shore.net.3568: udp 264 >23:24:40.886980 paz.static.shore.net > 38.187.59.46: icmp: >paz.static.shore.net udp port 3568 unreachable > >(philb interpreted them:) > > Now we get a three-step pattern: > > 23:24:40.660996 paz.static.shore.net.3895 > 38.187.59.46.3568: udp 24 > >packet from cpriori gets sent after translation from source port 3895 >to destination host port 3568 > > > 23:24:40.886637 38.187.59.46.1033 > paz.static.shore.net.3568: udp 264 > >destination host replies from a DIFFERENT port, to a port OTHER >than the original source port. NAT has no way to know the packet >should be forwarded on to cpriori. so... > > > 23:24:40.886980 paz.static.shore.net > 38.187.59.46: icmp: >paz.static.shore.net udp port 3568 unreachable > >it sends an ICMP error packet saying it doesn't know what to do with it. > >========================================================= > >Note that I was able to write some firewall rules to quiet the error >messages appearing at the console, but was never successful in permitting >the two machines (the Windoze box and the Novalogic server) to actually >converse with each other as they intended. > >At this point, I became basically lost; don't know how to outsmart what >Delta Force seems to try to do. It seemed that (Linux) ipchains offered >some firewall filtering capabilities which could track the shifting of >(port numbers?) and still maintain the traffic between the intended hosts >in spite of natd, but I have yet to try this, as it involves building a >separate machine with Linux and ipchains and inserting it between my >FreeBSD box and the Terminal Adapter, something not done casually. > >For background, in hosting a Delta Force game on the net, the home site of >Delta Force (Novalogic) has a mini-browser which lists games currently >running on their servers as well as games hosted by other computers on the >net (as "public games"). By using that browser, folks are able to locate >your hosted game and establish a connection with you (i.e., start playing >the game your computer is hosting). So there seems to be traffic generated >by the Novalogic servers as well as the other players and your own >machine. > > >cheers - >-- Philip. > >philip zimmermann paz@apriori.net >www.apriori.net ayer, ma usa > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990801143611.00a33220>