"Michael D. Schleif" wrote:
>
> OK, we know how to open ports tcp 5631 and udp 5632, and we can connect
> to PCAnywhere hosts behind LRP-CD -- from the Internet in general.
>
> However, specifically, when site A is behind LRP-CD(A) and site B is
> behind LRP-CD(B) and we are inside site B, we *cannot* connect to
> PCAnywhere hosts inside site A.
>
> What do you think?
OK, we have analyzed this with iptraf:
root@bluetrout:/var/log
# cat ip_traffic.log
Tue Jul 10 15:08:23 2001; ******** IP traffic monitor started
Tue Jul 10 15:08:25 2001; TCP; eth2; 60 bytes; from x.y.z.9:1827 to
a.b.c.2:ssh; first packet
Tue Jul 10 15:08:25 2001; TCP; eth0; 60 bytes; from x.y.z.9:1827 to
a.b.c.2:ssh; first packet
Tue Jul 10 15:08:25 2001; TCP; eth0; 1500 bytes; from a.b.c.2:ssh to
x.y.z.9:1827; first packet
Tue Jul 10 15:08:25 2001; TCP; eth2; 1500 bytes; from a.b.c.2:ssh to
x.y.z.9:1827; first packet
Tue Jul 10 15:08:30 2001; UDP; eth2; 30 bytes; from x.y.z.6:2660 to
a.b.c.4:5632
Tue Jul 10 15:08:30 2001; UDP; eth0; 30 bytes; from x.y.z.2:61077 to
a.b.c.4:5632
Tue Jul 10 15:08:31 2001; UDP; eth0; 33 bytes; from a.b.c.2:61590 to
x.y.z.2:61077
Tue Jul 10 15:08:31 2001; ICMP; eth0; 61 bytes; from x.y.z.2 to a.b.c.2;
dest unreach (port)
root@greentrout:/var/log
# cat ip_traffic.log
Tue Jul 10 15:08:28 2001; ******** IP traffic monitor started
Tue Jul 10 15:08:28 2001; TCP; eth0; 1500 bytes; from a.b.c.2:ssh to
x.y.z.9:1827; first packet
Tue Jul 10 15:08:29 2001; TCP; eth0; 40 bytes; from x.y.z.9:1827 to
a.b.c.2:ssh; first packet
Tue Jul 10 15:08:34 2001; UDP; eth0; 30 bytes; from x.y.z.2:61077 to
a.b.c.4:5632
Tue Jul 10 15:08:34 2001; UDP; eth2; 30 bytes; from x.y.z.2:61077 to
a.b.c.4:5632
Tue Jul 10 15:08:34 2001; UDP; eth2; 33 bytes; from a.b.c.4:5632 to
x.y.z.2:61077
Tue Jul 10 15:08:34 2001; UDP; eth0; 33 bytes; from a.b.c.2:61590 to
x.y.z.2:61077
Tue Jul 10 15:08:34 2001; ICMP; eth0; 61 bytes; from x.y.z.2 to a.b.c.2;
dest unreach (port)
Tue Jul 10 15:08:34 2001; ICMP; eth2; 61 bytes; from x.y.z.2 to a.b.c.4;
dest unreach (port)
Yes, greentrout is ~4 behind bluetrout ;<
Anyway, System A, behind bluetrout, initiated a PCAnywhere session on
System B, behind greentrout.
We have also experienced this phenomena with remote systems behind other
firewalls. However, one of my systems is behind an Edge firewall
(ThinLinux, based on LRP v2.9.3) and I *CAN* connect, as expected.
Interestingly enough, Symantec has a poorly documented fix:
<http://service1.symantec.com/SUPPORT/pca.nsf/fa9d717749cd872d852566340045d113/4b5a1b39862335828825682c0056ef5d?OpenDocument>
Why this works is beyond me; because, we *ARE* allowing udp 5632.
However, when we activate this registry switch, then we can dis-allow
udp 5632 and still connect.
What we really want to know is, what is going on with ICMP? What is it
about LEAF/LRP firewalls and ICMP that precipitates this?
Mind you, we are *NOT* suggesting that ICMP handling is wrong -- we
simply need to understand these issues . . .
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
"Dare to fix things before they break . . . "
"Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . . "
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
