Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
pcAnywhere
adp
dap99 at i-55.com
Mon May 10 08:36:31 PDT 2004
I am using telnet just to see if the port accepts connections. That test
works fine internally. We are not running a telnet server. Also, we are
telnetting to the pcAnywhere port, not the telnet port. :)
----- Original Message -----
From: "JJB" <Barbish3 at adelphia.net>
To: "adp" <dap99 at i-55.com>; <questions at freebsd.org>
Sent: Friday, May 07, 2004 7:47 AM
Subject: RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
pcAnywhere
> For your telnet test to pcanywhere ports on target Lan pc to work
> you have to tell telnet on the target to listen on those ports.
>
> I believe pcanywhere is one of those applications that imbed the ip
> address of the remote and host into the packet data and used by the
> application to establish bi-directional packet exchange. This means
> that pcanywhere will not work using nated ip address. This is an
> common design flaw in many 3rd party software providers
> applications, mostly seen in games and ms/windows netmeeting.
> Pcanywhere only works over the public internet between two ms/window
> boxs that use public routable IP address. It will also work between
> two pc on the Lan because Nating only occurs as packet leaves Lan
> headed for public internet.
>
> If you have an range of static public IP address assigned to you by
> your ISP then you could assign one of those ip address to the LAN pc
> you want pcanywhere to work on and you should be good to go.
>
>
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of adp
> Sent: Friday, May 07, 2004 12:37 AM
> To: questions at freebsd.org
> Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
> pcAnywhere
>
> This shouldn't be that hard, but I can't get it working.
>
> I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I
> have
> bridging enabled between the Internet and DMZ interfaces.
>
> I now have an internal computer (LAN) that needs to be accessible
> via
> pcAnywhere.
>
> I can telnet to the pcAnywhere ports on the internal computer fine
> from the
> firewall or the LAN. So that works. However, when I configured ipnat
> to
> forward my pcAnywhere ports a telnet from the Internet just stalls.
>
> My ipnat configuration:
>
> # cat /etc/ipnat.conf
>
> (xl0 = internet, xl1 = lan, xl2 = dmz)
>
> ####################
> # pcAnywhere
> # normal nat for office disabled - this is all i have in ipnat.conf
> rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631
> rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632
>
> And I am allowing in accessing via ipf:
>
> pass in quick proto tcp from any to public-ip port = 5631 group 200
> pass in quick proto udp from any to public-ip port = 5631 group 200
> pass in quick proto tcp from any to public-ip port = 5632 group 200
> pass in quick proto udp from any to public-ip port = 5632 group 200
>
> (If I take these out I see the ipmon block messages, but with these
> they go
> away, so it's not ipf I don't think.)
>
> Am I missing something here? This should work!
>
> A tcpdump. I am remote (remote-client):
>
> %telnet public-ip 5631
> Trying public-ip...
>
> (just sits there)
>
> On the FreeBSD box:
>
> # tcpdump -n -i xl0 port 5631
> tcpdump: listening on xl0
> 23:26:41.772801 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
> 0,nop,nop,timestamp
> 99416198 0> (DF) [tos 0x10]
> 23:26:44.772018 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
> 0,nop,nop,timestamp
> 99416498 0> (DF) [tos 0x10]
> 23:26:48.013346 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
> 0,nop,nop,timestamp
> 99416818 0> (DF) [tos 0x10]
> 23:26:51.230241 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
> 23:26:54.429267 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
> 23:26:57.596288 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
> 23:27:03.809921 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
> 23:27:16.050057 remote-client.3755 > public-ip.5631: S
> 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
> ^C
> 48 packets received by filter
> 0 packets dropped by kernel
>
> Oh, and again, I do have bridging enabled between Internet and DMZ:
>
> My bridge script:
>
> #!/bin/sh
>
> echo -n "Enabling bridging: "
> if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then
> echo "activated."
> else
> echo "failed."
> fi
>
> echo -n "Enabling bridging between xl0 and xl2 interfaces: "
> if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1;
> then
> echo "activated."
> else
> echo "failed."
> fi
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
More information about the freebsd-questions
mailing list