issue with some NAT'ed machines

Frederic Vecoven Sat, 29 Mar 2003 14:37:50 -0800

Gentlemen,

I am having one issue with ipnat/ipf that I can't solve... 
My home network is quite simple and is made of (basically) 4 machines:
- an old sparc5 running Solaris 8 acting a router/firewall
- a PC running win98
- a brand new PC running win2k
- an ultra2 running Solaris 9


I discovered the problem recently because I bought a new PC and
installed win2k on it. The problem DOESN'T happen with win98 for an
unknown reason.

When going to the web from the PC running win2k, some sites seem to
respond, but the reply doesn't make it to the box. I tried the same
on my ultra2 box and the problem also occurs there. [I never
discovered the problem on the ultra2 because I use it to connect to a
VPN server, and do everything through the VPN]
The strange thing is that it works on some sites without any problem. 


I hope that someone has an idea or suggestion.... The IP config on the
2 PC and ultra2 are extremely simple : gateway = 192.168.10.1, DNS =
192.168.10.1 (the sparc5 is also acting as DNS server/forwarder)


Thanks !!!

-Fred





Here is the config, some output and some snoop output :

machine    hostname     ip address       OS

Sparc5     kokio        192.168.10.1     Solaris 5.8
PC1        pokemon      192.168.10.11    win98
PC2        quake        192.168.10.14    win2k
ultra2     ultra2       192.168.10.10    Solaris 5.9


ipf.conf (on ss5:  le0 is the DSL modem, hme0 is my LAN) :

###############
###   lo0   ###
###############
pass in  quick on lo0
pass out quick on lo0


###############
###  hme0   ###
###############
pass in  quick on hme0
pass out quick on hme0


###############
###  spp0   ###
###############

# block what we shouldn't receive
block in     quick on sppp0 from 192.168.0.0/16 to any
block in     quick on sppp0 from 172.16.0.0/12 to any
block in     quick on sppp0 from 10.0.0.0/8 to any
block in     quick on sppp0 from 127.0.0.0/8 to any
block in     quick on sppp0 from 0.0.0.0/8 to any
block in     quick on sppp0 from 224.0.0.0/3 to any

# don't send stupid stuff to the internet (it shouldn't happen anyway)
block out quick on sppp0 from any to 192.168.0.0/16
block out quick on sppp0 from any to 172.16.0.0/12
block out quick on sppp0 from any to 10.0.0.0/8
block out quick on sppp0 from any to 127.0.0.0/8
block out quick on sppp0 from any to 0.0.0.0/8
block out quick on sppp0 from any to 224.0.0.0/3

#
# VPN
#
pass in quick from xxx.xxx.xxx.xxx/32  to any   

# keep state
pass out quick on sppp0 proto tcp  from any to any keep state keep frags
pass out quick on sppp0 proto udp  from any to any keep state keep frags
pass out quick on sppp0 proto icmp from any to any keep state keep frags

# and block what's left 
block return-rst in  log quick on sppp0 proto tcp from any to any
block            in  log quick on sppp0 all
block            out log quick on sppp0 all



ipnat.conf :

map sppp0 0/0 -> 0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0/32 portmap tcp/udp 10000:40000
map sppp0 192.168.10.0/24 -> 0/32



Some test done here : 
1) ipnat -l
2) connect to a website showing the issue from win98  (192.168.10.11)
3) ipnat -l + snoop output (sppp0 interface)
4) connect to the same website using win2k (192.168.10.14)
5) ipnat -l + snoop output (sppp0 interface)
[my current internet address is 213.193.172.9, assigned on sppp0]


List of active MAP/Redirect filters:
map sppp0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
map sppp0 192.168.10.0/24 -> 0.0.0.0/32

List of active sessions:


CONNECT HERE win98


  1   0.00000 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10285 
  2   0.02500 netbanking.dexia.be -> pokemon.vecoven.com HTTP R port=1335 
  3   0.00089 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10285 
  4   0.00487 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP GET / HTTP/1.1
  5   0.05454 netbanking.dexia.be -> pokemon.vecoven.com HTTP HTTP/1.1 200 OK
  6   0.00366 netbanking.dexia.be -> pokemon.vecoven.com HTTP ionSupported()) {
  7   0.00105 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10285 
  8   0.02946 netbanking.dexia.be -> pokemon.vecoven.com HTTP  
src="/PC/static/shared/images/WhitePix.gif" width="22" height=1></td></tr><tr><t
  9   0.00372 netbanking.dexia.be -> pokemon.vecoven.com HTTP           }
 10   0.00109 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10285 
 11   0.00256 netbanking.dexia.be -> pokemon.vecoven.com HTTP Ver.indexOf("MACINTOSH") 
!= -1 )
 12   0.02644 netbanking.dexia.be -> pokemon.vecoven.com HTTP onFrench.gif" 
alt="Fran&ccedil;ais"></A>');
 13   0.00112 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10285 
 14   0.00231 netbanking.dexia.be -> pokemon.vecoven.com HTTP (body)
 etc...



List of active MAP/Redirect filters:
map sppp0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
map sppp0 192.168.10.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.10.11   1336  <- -> 213.193.172.9   10286 [212.63.226.27 80]
MAP 192.168.10.11   1335  <- -> 213.193.172.9   10285 [212.63.226.27 80]



CONNECT NOW FROM win2k :


  1   0.00000 213-193-172-9.adsl.easynet.be -> 213-193-172-1.adsl.easynet.be ICMP Echo 
request (ID: 9157 Sequence number: 0)
  2   0.01315 213-193-172-1.adsl.easynet.be -> 213-193-172-9.adsl.easynet.be ICMP Echo 
reply (ID: 9157 Sequence number: 0)
  3  28.29043 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10287 
  4   0.02830 netbanking.dexia.be -> quake.vecoven.com HTTP R port=1772 
  5   0.00152 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP C port=10287 
  6   0.00016 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP GET / HTTP/1.1
  7   3.24789 213-193-172-9.adsl.easynet.be -> netbanking.dexia.be HTTP GET / HTTP/1.1
  8   0.04597 netbanking.dexia.be -> quake.vecoven.com HTTP R  port=1772 

  nothing more here... 



List of active MAP/Redirect filters:
map sppp0 0.0.0.0/0 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.10.0/24 -> 0.0.0.0/32 portmap tcp/udp 10000:40000
map sppp0 192.168.10.0/24 -> 0.0.0.0/32

List of active sessions:
MAP 192.168.10.14   1772  <- -> 213.193.172.9   10287 [212.63.226.27 80]
MAP 192.168.10.11   1336  <- -> 213.193.172.9   10286 [212.63.226.27 80]
MAP 192.168.10.11   1335  <- -> 213.193.172.9   10285 [212.63.226.27 80]



ipf/ipnat version :


ipf: IP Filter: v3.4.30 (432)
Kernel: IP Filter: v3.4.30              
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available

issue with some NAT'ed machines

Reply via email to