tech-net: ipnat/ipf weirdness

Subject: ipnat/ipf weirdness
To: None <tech-net@netbsd.org>
From: John Pettitt <jpp@cloudview.com>
List: tech-net
Date: 06/13/1999 16:56:21
Help!

I'm stumped.  I have a very weird problem with my NetBSD box that does not 
make a lot of sense to me.

The basic issue is that some web hosts (search.nytimes.com is a good 
example) are not reachable from my internal (ipnat) hosts.   The setup look 
like this

Internal lan is 192.168.1.* with dhcp allocated addresses for some windows 
boxes.
NetBSD machine is 192.168.1.254 on de0 and 216.103.77.155 on ne1

My ipnat.conf has the following

map ne1 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map ne1 192.168.1.0/24 -> 0/32 portmap tcp/udp 1025:60000
map ne1 192.168.1.0/2f -> 0/32

/etc/ipf.conf is empty

Mostly this works fine - I can access web hosts etc etc with no problem - 
however some web hosts can't be seen (search.nytimes.com, go.msn.com).

What I know so far:

1) It's not Internet Explorer (my first suspect - telent and netscape fail)
2) tcpdump reveals that the packets never get to the outside interface I 
can see them on the inside  (see below)

tcpdump: listening on de0
16:51:59.697805 192.168.1.1.2722 > 199.181.172.237.80: S 
55570850:55570850(0) win 8192 <mss 1456,nop,nop,sackOK> (DF)
16:51:59.698103 199.181.172.237.80 > 192.168.1.1.2722: R 0:0(0) ack 
55570851 win 0
16:52:00.179583 192.168.1.1.2722 > 199.181.172.237.80: S 
55570850:55570850(0) win 8192 <mss 1456,nop,nop,sackOK> (DF)
16:52:00.179833 199.181.172.237.80 > 192.168.1.1.2722: R 0:0(0) ack 1 win 0
16:52:00.679523 192.168.1.1.2722 > 199.181.172.237.80: S 
55570850:55570850(0) win 8192 <mss 1456,nop,nop,sackOK> (DF)
16:52:00.679794 199.181.172.237.80 > 192.168.1.1.2722: R 0:0(0) ack 1 win 0
16:52:01.179496 192.168.1.1.2722 > 199.181.172.237.80: S 
55570850:55570850(0) win 8192 <mss 1456,nop,nop,sackOK> (DF)
16:52:01.179768 199.181.172.237.80 > 192.168.1.1.2722: R 0:0(0) ack 1 win 0

a tcpdump on ne1 at the same time does not see any packets.

3) if I set up apache on the bsd machine to "listen 80" the local machine 
will answer instead of the intended host.
4) connections directly from the bsdbox to the above hosts work fine.
5) if I use apache as an http proxy it works fine

My next move is to start digging through the ipnat code - however before I 
do that I'd like to know if anybody has any ideas?



 John Pettitt  <mailto:jpp@beyond.com>jpp@beyond.com  (work)
 <mailto:jpp@cloudview.com>jpp@cloudview.com  (home)
   Any technology that is distinguishable from magic is insufficiently 
advanced.
 Any sufficiently advanced magic is indistinguishable from a rigged 
demonstration.