--P6YfpwaDcfcOCJkJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 04, 2005 at 09:38:12AM +0000, Patrick Welche wrote:
> On Fri, Mar 04, 2005 at 10:21:56AM +0100, Quentin Garnier wrote:
> > On Fri, Mar 04, 2005 at 08:56:09AM +0000, Patrick Welche wrote:
> > > This is with -current 4.1.6 ipfilter.. It looks as though I have some=
thing
> > > back to front..

BTW, did the behaviour changed with 4.1.6 import or is this an unrelated
issue?

> > > tcpdump:
> > >=20
> > > IP cowsadmin.204.168.192.in-addr.arpa.1164 > 192.168.205.130.http: S =
4208745430:4208745430(0) win 65535 <mss 1460,nop,nop,sackOK>
> > > IP gw.168.192.in-addr.arpa > cowsadmin.admin.newn.cam.ac.uk.204.168.1=
92.in-addr.arpa: icmp 36: redirect 192.168.205.130 to host 192.168.205.130
> > [...]
> > > Am I missing something?
> >=20
> > Can't comment much about the rest, but at least you're missing ending
> > dots in your reverse DNS entries :)
> >=20
> > On the issue, though, you should provide a -n trace.  It's hard to tell
> > what is gw, and how different are cowsadmin and
> > cowsadmin.admin.newn.cam.ac.uk, as they don't seem to have the same IP
> > address?
>=20
> Sorry, I just reduced the line length of one, but as I've been up for over
> 24 hours, I didn't do the same edit later..
>=20
> It's that last part "redirect 192.168.205.130 to host 192.168.205.130" ?!

What does ifconfig vlan3 say on gw?  Seems that gw thinks 192.168.204 and
192.168.205 are on the same LAN segment.

> Here is tcpdump -nti vlan3:
>=20
> IP 192.168.204.6.1188 > 192.168.205.130.80: S 615063286:615063286(0) win =
65535 <mss 1460,nop,nop,sackOK>
> IP 192.168.204.62 > 192.168.204.6: icmp 36: redirect 192.168.205.130 to h=
ost 192.168.205.130
> IP 192.168.204.6.123 > 192.168.205.143.123: NTPv4 client, strat 6, poll 6=
, prec -18
> IP 192.168.204.62 > 192.168.204.6: icmp 36: redirect 192.168.205.143 to h=
ost 192.168.205.143
> IP 192.168.204.6.1188 > 192.168.205.130.80: S 615063286:615063286(0) win =
65535 <mss 1460,nop,nop,sackOK>
> IP 192.168.204.62 > 192.168.204.6: icmp 36: redirect 192.168.205.130 to h=
ost 192.168.205.130
> IP 192.168.204.6.123 > 192.168.205.130.123: NTPv4 client, strat 6, poll 6=
, prec -18
> IP 192.168.204.62 > 192.168.204.6: icmp 36: redirect 192.168.205.130 to h=
ost 192.168.205.130
> IP 192.168.204.6.1188 > 192.168.205.130.80: S 615063286:615063286(0) win =
65535 <mss 1460,nop,nop,sackOK>
> IP 192.168.204.62 > 192.168.204.6: icmp 36: host 192.168.205.130 unreacha=
ble

The last line is a bit weird I'd say.  I don't know how the stack keeps
track of repeated redirect announces.

> ipnat.conf:
> rdr vlan3 192.168.205.130/32 port 80 -> 192.168.0.130 port 80 tcp
> rdr vlan3 192.168.205.130/32 port 443 -> 192.168.0.130 port 443 tcp
> rdr vlan3 192.168.205.130/32 port 25 -> 192.168.0.130 port 25 tcp
> rdr vlan3 192.168.205.143/32 port 143 -> 192.168.0.143 port 143 tcp
> rdr vlan3 192.168.205.143/32 port 80 -> 192.168.0.143 port 80 tcp
> rdr vlan3 192.168.205.143/32 port 443 -> 192.168.0.143 port 443 tcp
> rdr vlan3 192.168.205.143/32 port 123 -> 192.168.0.143 port 123 tcp/udp
> rdr vlan3 192.168.205.130/32 port 123 -> 192.168.0.130 port 123 tcp/udp

That looks fine.  Any oddities in ipf.conf?

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"When I find the controls, I'll go where I like, I'll know where I want
to be, but maybe for now I'll stay right here on a silent sea."
KT Tunstall, Silent Sea, Eye to the Telescope, 2004.

--P6YfpwaDcfcOCJkJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQigvNtgoQloHrPnoAQLfsAf9GAn8le6hynWGLv3MQWpLD8kYdo7ZkRim
oq68dllObkBkAEjZZsmT8Wk7PRPZ2IxJeeg622aMFo95PtdjdUyEO3eYQQCxol1A
AHIIaHVmopISQ0aS/OvPrc8TRKMnR8h8rHQnU5RKGaoFtv8NTnNbIl3oWCXINRG5
Vq06/nnLxt2pvT91zzEoxkSIXjPG/GDJnPXYt8H/LAoq//4RGxUoqL+WxdT/1n67
Py+hFQ5AkLJU9e7IEfnXMOll+xLgixM+dZodgtMM7+WhIioEk66KqZDGPa5TOjfu
hH6pBKNAj1RHWcCO9CejSZ02x1ZLAImBdMaKB2Uv1SGgQhIqVrcBQA==
=R+SC
-----END PGP SIGNATURE-----

--P6YfpwaDcfcOCJkJ--