Darren Reed wrote:
Hmm, let me see here:
rdr dc0 194.126.106.106/32 port 1723 -> 127.0.0.1 port 1723 proxy pptp
pass in log first quick on dc0 proto tcp \
from any to 127.0.0.1/32 port = 1723 \
flags S keep state
You're using the proxy in a way I doubt it has been written to work with :)
I was sort of suspecting that :-)
If you do an "ipnat -l" and "ipfstat -sl", can you see NAT/state entries
that should match the 2nd packet above that gets blocked ?
ipnat -l shows the following:
RDR 127.0.0.1 1723 <- -> 194.126.106.106 1723 [194.126.106.110 1814]
proxy pptp/6 use 2 flags 0
proto 6 flags 0 bytes 868 pkts 8 data YES size 316
I think I should also see some 'proto 47' entries listed here?
ipfstat -sl shows the following:
194.126.106.110 -> 127.0.0.1 pass 0x40008502 pr 6 state 5/5 bkt 3690
tag 0 ttl 863974
2392 -> 1723 8ee7dde1:9265f8a3 65535<<0:58400<<0
cmsk 0000 smsk 0000 isc 0x0 s0 8ee7dc85/9265f7e7
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 4 bytes in 516 pkts out 0 bytes out 0
backward: pkts in 0 bytes in 0 pkts out 4 bytes out 352
pass in quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0x1 0 0 0x1
interfaces: in dc0[dc0],-[] out -[],dc0[dc0]
Sync status: not synchronized
194.126.106.110 -> 194.126.106.106 pass 0x4502 pr 47 state 0/0 bkt 1388
tag 0 ttl 214
forward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
backward: pkts in 0 bytes in 0 pkts out 0 bytes out 0
pass out quick keep state IPv4
pkt_flags & 0(0) = 0, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0 0 0 0
interfaces: in dc0[dc0],-[] out -[],-[]
Sync status: not synchronized
194.126.106.110 -> 127.0.0.1 pass 0x40008502 pr 6 state 7/11 bkt 4999
tag 0 ttl 3
1914 -> 1723 e2e8aed6:cc89ea61 65535<<0:58400<<0
cmsk 0000 smsk 0000 isc 0x0 s0 e2e8ad69/cc89e900
FWD:ISN inc 0 sumd 0
REV:ISN inc 0 sumd 0
forward: pkts in 6 bytes in 612 pkts out 0 bytes out 0
backward: pkts in 0 bytes in 0 pkts out 8 bytes out 676
pass in quick keep state IPv4
pkt_flags & 0(10000) = 1000, pkt_options & ffffffff = 0
pkt_security & ffff = 0, pkt_auth & ffff = 0
is_flx 0x1 0 0 0x1
interfaces: in dc0[dc0],-[] out -[],dc0[dc0]
Sync status: not synchronized
Also, try it with the patch below.
That didn't seem to make a difference.
--
Toomas Aas --------------------------------------------------------
|arvutiv�rgu peaspetsialist | head specialist on computer networks|
|Tartu Linnakantselei | Tartu City Office |
----------------------------------------------------- +372 736 1274
