Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere

JJB Barbish3 at adelphia.net
Fri May 7 05:47:25 PDT 2004 

For your telnet test to pcanywhere ports on target Lan pc to work
you have to tell telnet on the target to listen on those ports.

I believe pcanywhere is one of those applications that imbed the ip
address of the remote and host into the packet data and used by the
application to establish bi-directional packet exchange. This means
that pcanywhere will not work using nated ip address. This is an
common design flaw in many 3rd party software providers
applications, mostly seen in games and ms/windows netmeeting.
Pcanywhere only works over the public internet between two ms/window
boxs that use public routable IP address. It will also work between
two pc on the Lan because Nating only occurs as packet leaves Lan
headed for public internet.

If you have an range of static public IP address assigned to you by
your ISP then you could assign one of those ip address to the LAN pc
you want pcanywhere to work on and you should be good to go.


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of adp
Sent: Friday, May 07, 2004 12:37 AM
To: questions at freebsd.org
Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
pcAnywhere

This shouldn't be that hard, but I can't get it working.

I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I
have
bridging enabled between the Internet and DMZ interfaces.

I now have an internal computer (LAN) that needs to be accessible
via
pcAnywhere.

I can telnet to the pcAnywhere ports on the internal computer fine
from the
firewall or the LAN. So that works. However, when I configured ipnat
to
forward my pcAnywhere ports a telnet from the Internet just stalls.

My ipnat configuration:

# cat /etc/ipnat.conf

(xl0 = internet, xl1 = lan, xl2 = dmz)

####################
# pcAnywhere
# normal nat for office disabled - this is all i have in ipnat.conf
rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631
rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632

And I am allowing in accessing via ipf:

pass in quick proto tcp from any to public-ip port = 5631 group 200
pass in quick proto udp from any to public-ip port = 5631 group 200
pass in quick proto tcp from any to public-ip port = 5632 group 200
pass in quick proto udp from any to public-ip port = 5632 group 200

(If I take these out I see the ipmon block messages, but with these
they go
away, so it's not ipf I don't think.)

Am I missing something here? This should work!

A tcpdump. I am remote (remote-client):

%telnet public-ip 5631
Trying public-ip...

(just sits there)

On the FreeBSD box:

# tcpdump -n -i xl0 port 5631
tcpdump: listening on xl0
23:26:41.772801 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
0,nop,nop,timestamp
99416198 0> (DF) [tos 0x10]
23:26:44.772018 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
0,nop,nop,timestamp
99416498 0> (DF) [tos 0x10]
23:26:48.013346 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
0,nop,nop,timestamp
99416818 0> (DF) [tos 0x10]
23:26:51.230241 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
23:26:54.429267 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
23:26:57.596288 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
23:27:03.809921 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
23:27:16.050057 remote-client.3755 > public-ip.5631: S
2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
^C
48 packets received by filter
0 packets dropped by kernel

Oh, and again, I do have bridging enabled between Internet and DMZ:

My bridge script:

#!/bin/sh

echo -n "Enabling bridging: "
if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then
        echo "activated."
else
        echo "failed."
fi

echo -n "Enabling bridging between xl0 and xl2 interfaces: "
if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1;
then
        echo "activated."
else
        echo "failed."
fi


_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list