Re: bimap and outbound traffic from DMZ (long)

Barrie Bremner Sat, 31 Dec 2005 12:09:14 -0800

>>>>> "Darren" == Darren Reed <[EMAIL PROTECTED]> writes:


    Darren> if you run tcpdump on pppoe0 as well as your internal
    Darren> interface, do you see the packets in both places, as they
    Darren> should ?

It appears that way:

DMZ interface (hme2 on 192.168.2.0/24):

17:20:00.335926 IP theta.65070 > arc-dmz.domain:  32691+ AAAA? www.bbc.co.uk. 
(31)
17:20:00.447025 IP arc-dmz.domain > theta.65070:  32691 1/0/0 CNAME[|domain]
17:20:00.447511 IP theta.65069 > arc-dmz.domain:  32692+ A? www.bbc.co.uk. (31)
17:20:00.454239 IP arc-dmz.domain > theta.65069:  32692 2/13/0 CNAME[|domain]
17:20:00.455018 IP theta.65318 > www23.thdo.bbc.co.uk.www: S 
3336718153:3336718153(0) win 32768 <mss 1460,nop,wscale 
0,sackOK,nop,nop,nop,nop,timestamp 0 0>
17:20:00.476646 IP www23.thdo.bbc.co.uk.www > theta.65318: S 
936242578:936242578(0) ack 3336718154 win 33304 <nop,nop,timestamp 1830748703 
0,mss 1460,nop,wscale 1,nop,nop,sackOK>
17:20:00.476806 IP theta.65318 > www23.thdo.bbc.co.uk.www: . ack 1 win 33580 
<nop,nop,timestamp 0 1830748703>
17:20:00.477869 IP theta.65318 > www23.thdo.bbc.co.uk.www: P 1:186(185) ack 1 
win 33580 <nop,nop,timestamp 0 1830748703>
17:20:00.504482 IP www23.thdo.bbc.co.uk.www > theta.65318: . ack 186 win 33211 
<nop,nop,timestamp 1830748706 0>
17:20:37.621095 IP theta.65318 > www23.thdo.bbc.co.uk.www: F 186:186(0) ack 1 
win 33580 <nop,nop,timestamp 75 1830748703>
17:20:37.640322 IP www23.thdo.bbc.co.uk.www > theta.65318: . ack 187 win 33211 
<nop,nop,timestamp 1830752419 75>

External interface (pppoe0 on 1.2.3.204/30 - 1.2.3.205/32 and 1.2.3.206/32 
usable):

17:20:00.455574 PPPoE  [ses 0x8b04] IP theta-ext.65318 > 
www23.thdo.bbc.co.uk.www: S 3336718153:3336718153(0) win 32768 <mss 
1460,nop,wscale 0,sackOK,nop,nop,nop,nop,timestamp 0 0>
17:20:00.476450 PPPoE  [ses 0x8b04] IP www23.thdo.bbc.co.uk.www > 
theta-ext.65318: S 936242578:936242578(0) ack 3336718154 win 33304 
<nop,nop,timestamp 1830748703 0,mss 1460,nop,wscale 1,nop,nop,sackOK>
17:20:00.477009 PPPoE  [ses 0x8b04] IP theta-ext.65318 > 
www23.thdo.bbc.co.uk.www: . ack 1 win 33580 <nop,nop,timestamp 0 1830748703>
17:20:00.478179 PPPoE  [ses 0x8b04] IP theta-ext.65318 > 
www23.thdo.bbc.co.uk.www: P 1:186(185) ack 1 win 33580 <nop,nop,timestamp 0 
1830748703>
17:20:00.504294 PPPoE  [ses 0x8b04] IP www23.thdo.bbc.co.uk.www > 
theta-ext.65318: . ack 186 win 33211 <nop,nop,timestamp 1830748706 0>
17:20:22.851791 PPPoE  [ses 0x8b04] LCP, Echo-Request (0x09), id 188, Magic-Num 
0x73af709e, length 8
17:20:22.851839 PPPoE  [ses 0x8b04] LCP, Echo-Reply (0x0a), id 188, Magic-Num 
0x102f63d5, length 8
17:20:37.621363 PPPoE  [ses 0x8b04] IP theta-ext.65318 > 
www23.thdo.bbc.co.uk.www: F 186:186(0) ack 1 win 33580 <nop,nop,timestamp 75 
1830748703>
17:20:37.640133 PPPoE  [ses 0x8b04] IP www23.thdo.bbc.co.uk.www > 
theta-ext.65318: . ack 187 win 33211 <nop,nop,timestamp 1830752419 75>

    Darren> also, are you sure the NAT is working at all ?  I see an
    Darren> "mss 1460" in there, despite you having 1440 in an
    Darren> ipnat.conf file.

I added the following to my ipnat.conf file, without any obvious
effect:

  # MSS clamp the DMZ traffic
  map pppoe0 192.168.2.0/24 -> 1.2.3.206/32 mssclamp 1440

I must admit that'd missed the differing MSS values. Note that I've
also got net.inet.tcp.mss_ifmtu=1 set in /etc/sysctl.conf. I also
fully admit that playing with MSS values is something I don't
completely understand.

The NAT must be working for certain values of "working", as I can
connect to the services (web and mail servers) running on box in the
DMZ from a remote machine using the static IP address I'm bimap-ing in
ifnat.conf, for example:

DMZ interface (hme2):

17:28:46.233622 IP sphinx.mythic-beasts.com.43913 > theta.www: S 
3941160825:3941160825(0) win 5840 <mss 1460,sackOK,timestamp 2429307406 
0,nop,wscale 2>
17:28:46.233862 IP theta.www > sphinx.mythic-beasts.com.43913: S 
3816473555:3816473555(0) ack 3941160826 win 32768 <mss 1460,nop,wscale 
0,nop,nop,timestamp 0 2429307406,sackOK,nop,nop>
17:28:46.256009 IP sphinx.mythic-beasts.com.43913 > theta.www: . ack 1 win 1460 
<nop,nop,timestamp 2429307429 0>
17:28:46.258310 IP sphinx.mythic-beasts.com.43913 > theta.www: P 1:403(402) ack 
1 win 1460 <nop,nop,timestamp 2429307429 0>
17:28:46.259444 IP theta.www > sphinx.mythic-beasts.com.43913: P 1:322(321) ack 
403 win 33580 <nop,nop,timestamp 0 0>
17:28:46.259551 IP theta.www > sphinx.mythic-beasts.com.43913: P 322:812(490) 
ack 403 win 33580 <nop,nop,timestamp 0 0>
17:28:46.293710 IP sphinx.mythic-beasts.com.43913 > theta.www: . ack 322 win 
1728 <nop,nop,timestamp 2429307466 0>
17:28:46.311937 IP sphinx.mythic-beasts.com.43913 > theta.www: . ack 812 win 
1996 <nop,nop,timestamp 2429307485 0>
17:29:01.265699 IP theta.www > sphinx.mythic-beasts.com.43913: F 812:812(0) ack 
403 win 33580 <nop,nop,timestamp 30 0>
17:29:01.327050 IP sphinx.mythic-beasts.com.43913 > theta.www: . ack 813 win 
1996 <nop,nop,timestamp 2429322499 30>
17:29:06.314216 IP sphinx.mythic-beasts.com.43913 > theta.www: F 403:403(0) ack 
813 win 1996 <nop,nop,timestamp 2429327486 30>
17:29:06.314374 IP theta.www > sphinx.mythic-beasts.com.43913: . ack 404 win 
33580 <nop,nop,timestamp 40 0>

External interface (pppoe0):

17:28:46.233162 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: S 3941160825:3941160825(0) win 5840 <mss 1460,sackOK,timestamp 
2429307406 0,nop,wscale 2>
17:28:46.234082 PPPoE  [ses 0x8b04] IP theta-ext.www > 
sphinx.mythic-beasts.com.43913: S 3816473555:3816473555(0) ack 3941160826 win 
32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 2429307406,sackOK,nop,nop>
17:28:46.255811 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: . ack 1 win 1460 <nop,nop,timestamp 2429307429 0>
17:28:46.258088 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: P 1:403(402) ack 1 win 1460 <nop,nop,timestamp 2429307429 0>
17:28:46.259732 PPPoE  [ses 0x8b04] IP theta-ext.www > 
sphinx.mythic-beasts.com.43913: P 1:322(321) ack 403 win 33580 
<nop,nop,timestamp 0 0>17:28:46.260042 PPPoE  [ses 0x8b04] IP theta-ext.www > 
sphinx.mythic-beasts.com.43913: P 322:812(490) ack 403 win 33580 
<nop,nop,timestamp 0 0>
17:28:46.293504 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: . ack 322 win 1728 <nop,nop,timestamp 2429307466 0>
17:28:46.311740 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: . ack 812 win 1996 <nop,nop,timestamp 2429307485 0>
17:29:01.265967 PPPoE  [ses 0x8b04] IP theta-ext.www > 
sphinx.mythic-beasts.com.43913: F 812:812(0) ack 403 win 33580 
<nop,nop,timestamp 30 0>
17:29:01.326845 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: . ack 813 win 1996 <nop,nop,timestamp 2429322499 30>
17:29:06.313994 PPPoE  [ses 0x8b04] IP sphinx.mythic-beasts.com.43913 > 
theta-ext.www: F 403:403(0) ack 813 win 1996 <nop,nop,timestamp 2429327486 30>
17:29:06.314581 PPPoE  [ses 0x8b04] IP theta-ext.www > 
sphinx.mythic-beasts.com.43913: . ack 404 win 33580 <nop,nop,timestamp 40 0>

Cheers,

-- 
Barrie J. Bremner
list-ipf [at] barriebremner.com     http://barriebremner.com/

Re: bimap and outbound traffic from DMZ (long)

Reply via email to