Re: ipf/ipnat behavior

[Paul Goyette <paul%whooppee.com@localhost>]

On Sun, 1 Jun 2008, Darren Reed wrote:

> So you've applied the patch I committed today and this isn't working for you.

Yes.  I have the following ip_state.c

/*      $NetBSD: ip_state.c,v 1.32 2008/06/01 22:26:11 darrenr Exp $    */

> What packets are being blocked (see. ipmon logs)?

Ah - i Haven't looked at ipmon yet.

> Can you see packets being retransmitted (tcpdump)?

I had a tcpdump running on both the NFS client (the box with ipnat) and 
the server.  When attempting to do a 'df' there were no packets logged 
by 'tcpdump -i nfe0 port nfs' on either machine.  Total silence.

> I have these rules:
> pass out quick on pcn2 proto tcp from 192.168.239.70/32 to any flags S/SA 
> keep state
> pass out quick on pcn2 proto udp from 192.168.239.70/32 to any keep state
> pass out quick on pcn2 proto icmp from 192.168.239.70/32 to any keep state
> block in log on pcn2 all
>
> Which kick in when I do:
> mount 192.168.239.2:/usr/home /mnt
>
> And they allow me to do a few quick things (ls, etc) via NFS ok.

I have a completely empty /etc/ipf.conf - zero rules.

I have a very simple /etc/ipnat.conf

        map re0 192.168.2.0/25 -> 0/32 proxy port ftp ftp/tcp
        map re0 192.168.2.0/25 -> 0/32 portmap tcp/udp 40000:60000
        map re0 192.168.2.0/25 -> 0/32

Nothing fancy.

I'll read up on ipmon and see if I can get something from it.


----------------------------------------------------------------------
|   Paul Goyette   | PGP DSS Key fingerprint: |  E-mail addresses:   |
| Customer Service | FA29 0E3B 35AF E8AE 6651 |  paul%whooppee.com@localhost   |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette%juniper.net@localhost |
----------------------------------------------------------------------