Subject: Re: 1.5 ftp proxy (pr #11133)
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Olaf Seibert <rhialto@polderland.nl>
List: tech-kern
Date: 02/13/2001 01:11:46
On Mon 12 Feb 2001 at 21:44:52 +0100, Manuel Bouyer wrote:
> On Mon, Feb 12, 2001 at 11:58:01AM +0100, Olaf Seibert wrote:
> > I guess I should try the same patch, although my problem with NAT is
> > different: it simply won't NAT anymore... I guess a reboot would clear
> > that (at least for a while) but I haven't done that yet.
> 
> And what happens when you try to flush it and config it again ?
> ipnat -F; ipnat -C; ipnat -f /etc/ipnat.conf

azenomei# ipnat -F 
0 entries flushed from NAT table
azenomei# ipnat -C
3 entries flushed from NAT list
azenomei# ipnat -f /etc/ipnat.conf

Now I try to make an SSH connection from my internal network...

azenomei# ipnat -slv
mapped  in      0       out     0
added   0       expired 0
no memory       0       bad nat 0
inuse   0
rules   3
table 0x1fffff328 list 0xfffffe00000e7300
List of active MAP/Redirect filters:
map de0 10.0.0.0/8  -> 212.187.68.243/32  proxy port ftp ftp/tcp
map de0 10.0.0.0/8  -> 212.187.68.243/32  portmap tcp/udp 40000:60000
map de0 10.0.0.0/8  -> 212.187.68.243/32 

List of active sessions:
azenomei# ipfstat -io
pass out on de0 from any to any head 400
pass out quick proto icmp from any to any icmp-type echo group 400
pass out log or-block proto icmp from any to any group 400
pass in log from any to any with ipopt
block in log quick proto tcp from any to any with short
block in log quick on de0 proto tcp/udp from any to any port = afpovertcp
pass in on de0 from any to any head 200
block in log from 127.0.0.0/8 to any group 200
block in log from any to 127.0.0.0/8 group 200
block in log from 212.187.68.243/32 to any group 200
block in quick proto tcp/udp from any to any port 136 >< 140 group 200
block in log from 10.0.0.0/8 to any group 200
azenomei# 


ipnat -slv now never shows any active sessions at all. I used the same
ipnat.conf and ipf.conf with 1.4.1 and it kept working all the time. Now
with 1.5 NAT stopped working after a few days, and as I recall, even
then there was never an excessive number of active sessions listed.

Flushing my ipf rules (the default is pass) makes no difference.

I see SYN packets coming in on the internal interface, but they never
make it out the externel one.

> Manuel Bouyer <bouyer@antioche.eu.org>
-Olaf.
-- 
___ Olaf 'Rhialto' Seibert - rhialto@polder --Soep van de dag, wat zal dat zijn
\X/ land.nl     --wat kan dat wezen, beter maar het ergste vrezen -Boy Bensdorp