Solaris 9 Generic_117172-12 i386 pfil 2.1.4 ipfilter 4.1.3
Brand new box, just setup. Trying simple NAT to replace old box. ipf.conf is empty, except for "pass all" lines. (actually that is the default, but 'just in case').
ipnat.conf: map e1000g1 192.168.0.0/16 -> 0/32 portmap tcp/udp auto map e1000g1 192.168.0.0/16 -> 0/32
Setting up routing to netbsd.org to go to this new box.
telneting directly form the box works ok. Via NAT fails.
Snooping on the external interface sees:
++ With telnet, works ok:
210.172.128.225 -> 204.152.190.12 TCP D=22 S=8198 Syn Seq=3967773248 Len=0 Win=3 2850 Options=<mss 1460,nop,wscale 1,nop,nop,tstamp 415741 0,nop,nop,sackOK>
++ Via NAT, does not ever receive a reply:
210.172.128.225 -> 204.152.190.12 TCP D=22 S=56030 Syn Seq=3454801052 Len=0 Win= 65535 Options=<mss 1460,nop,wscale 6,nop,nop,tstamp 0 0>
I've read that "wscale" is not supported by ipfilter, so perhaps this is why. I have set recv_hiwat/xmit_hiwat to 64000. But notice that ipfilter still uses 65535? Where is this set?
nat04:~# ndd /dev/tcp tcp_xmit_hiwat 64000 nat04:~# ndd /dev/tcp tcp_recv_hiwat 64000
Nor does it suggest SACK? That is normal?
Lund
-- Jorgen Lundman | <[EMAIL PROTECTED]> Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work) Shibuya-ku, Tokyo | +81 (0)90-5578-8500 (cell) Japan | +81 (0)3 -3375-1767 (home)
