Re: [Leaf-user] PCAnywhere vs. LRP-CD ???

Tue, 03 Jul 2001 15:09:02 -0700 

"Michael D. Schleif" wrote:

> Let's recap:
> 
> OK:   wintel(A) -> PCAnywhere -> Internet -> LRP-CD(B) -> wintel(B)
> 
> NOT:   wintel(A) -> PCAnywhere -> LRP-CD(A) -> Internet -> LRP-CD(B) ->
> wintel(B)
> 
> So, it appears that there is something other than ports tcp 5631 and udp
> 5632 required -- on the connector's side -- to establish connection.
> 
> Since nobody, apparently, has direct experience, we remain open to other
> guesses and recommendations . . .

Always, always: get tcpdump and watch the traffic.  Let me ramble a bit
here:

1. PCA host: -> Remote Firewall -> Remote (works)
     so: this remote firewall accepts connections to a port (5631 and
5632?) on the Remote, and allows responses back.

2. PCA host -> Local Firewall -> Remote Firewall (fails)
     given: Remote Firewall is unchanged from #1
     so we can resolve: 1) Remote Firewall is not defective.

     now look at the Local firewall.  Are the ports open on it?  And
does it allow responses?

I'd use tcpdump on both sides and see what is going on.  Also check DNS:
if you wait 3 minutes (60 seconds x 3!) and it works, then DNS is
probably failing.

For a tcpdump command, try this:

tcpdump -s 1024 port 5631 or port 5632 or port 53

...or perhaps...

tcpdump -s 1024 host pcahost.myhome.whatever.local

Try this both inside the firewall and outside, using the "-i <device>"
option.  I like to use two virtual terms (switching with Alt-F1 Alt-F2
etc) and use one on one side and the other on the other side: then you
can flip back and forth and see what is happening.

Don't forget to use the right host if you use the "host" form:
masquerading changes the host you want to track in the packet...

Another thing I like to do is rules like the following (going from
memory) - using you as an example:

ipchains -I input -p tcp -s 0/0 -d 0/0 5163 -l -b
ipchains -I output -p tcp -s 0/0 -d 0/0 5163 -l -b

(warning: I don't use -b much...)

Note the absence of a -j option: this is a "match" only and the packet
continues on down the chain without alteration or other effect.  Using
-I (input) puts the chain at the top.  I'm sure I missed syntax slightly
(is there a line number with -I?) but you get the idea I'm trying to get
across.

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to