First, in your tcpdump,
>
> 1. onlpatch.quicken.com.http - This must be Intuit's update server
> 2. supermega.little.net.3516 - What is this server?
> Is this your 192.168.1.101 server?
* 3. pm1-17.ro.com.64583 - This must be your Linux box
The pm1-17.ro.com is my isp's livingston portmaster as Gary stated.
Supermega.little.net is 192.168.101.1 or my Windows NT machine running
quicken which is behind my ipmasq machine (eth0 192.168.1.1 and ppp0
dynamically assigned by my isp)
My ipmasq machine (eth0 192.168.1.1 and ppp0 dynamically assigned) doesn't
show up in this dump and that is really weird
Onlpatch.quicken.com.http is the quicken update server.
Now how does the quicken update server know about supermega.little.net if my
linux machine is running NAT (ipmasq). Let me take that back, we really
should be looking at the second dump file that I sent because it is the one
in which I killed my named before running. So I am thinking that my named
is the one resolving addresses on my local net.
So attached to this email is the second dump which has only IP addresses in
it, I have put a legend at the top of machines to ip addresses and something
looks funny.
The very first line looks ok to me it is my linux machine's ppp0 interface
asking for the ip address of the www.qfn.com server on behalf of my NT
Workstation (supermega.little.net or 192.168.101.1)
In the second line DNS (205.216.92.2) responds back directly to my NT
workstations invalid ip address (192.168.1.101) instead of my linux machines
ppp0 interface (208.134.96.33).
>From then on out I am confused.
Here is what I have in my /etc/rc.d/rc.local pertaining to Ipmasq and
timeouts. I did what section 10 said about a week ago before I posted to
the group.
#added by David Dionne#
ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
ipfwadm -M -s 7200 10 60
for x in /lib/modules/`uname -r`/ipv4/ip_masq_*; do
/sbin/modprobe `basename $x`
done
route add -host 255.255.255.255 eth0
#end addition by David Dionne#
Thanks again!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Gary S. Mackay
Sent: Monday, March 08, 1999 9:10 PM
To: David A. Ranch
Cc: David Dionne; [EMAIL PROTECTED]
Subject: Re: [Masq] Quicken, Quickbooks updates or https
Just a guess, but I think the pm1-17 entry is the Lucent PortMaster he
dialed into. I show the same type of entries in my logs and I know my
ISP uses them.
"David A. Ranch" wrote:
>
> >The download then fails after about 90 sec.
>
> Are you setting any timeouts in your rc.firewall ruleset? If not,
> try doing that first. Its described in TrinityOS - Section 10.
>
> >Why in the second dump does the far end send packets to my windows
machine
> >(192.168.1.101), shouldn't that be behind the ipmasq?
>
> First, in your tcpdump,
>
> 1. onlpatch.quicken.com.http - This must be Intuit's update server
> 2. supermega.little.net.3516 - What is this server?
> Is this your 192.168.1.101 server?
> 3. pm1-17.ro.com.64583 - This must be your Linux box
>
> What is #2??? The reason being:
>
> --
> 23:27:48.751953 onlpatch.quicken.com.http > supermega.little.net.3516: .
> 141:1601(1460) ack 471 win 61320 (DF)
> 23:27:48.914063 pm1-17.ro.com.64583 > onlpatch.quicken.com.http: . ack
1601 win
> 8760 (DF)
> --
>
> Thats an odd traffic flow.
>
> --David
>
.---------------------------------------------------------------------------
-.
> | David A. Ranch - Linux/Networking/PC hardware
[EMAIL PROTECTED] |
>
----!
> `----- For more detailed info, see
http://www.ecst.csuchico.edu/~dranch -----'
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> http://tiffany.indyramp.com/mailman/listinfo/masq
> Admin requests can be handled by web (above) or
[EMAIL PROTECTED]
--
Edison Information Technologies
P.O. Box 554
Milan, OH 44846-0554
419.499.7040
[EMAIL PROTECTED]
--
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or
[EMAIL PROTECTED]
[demime 0.91c removed an attachment of type application/octet-stream which had a name
of quicken.tcpdump1]
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
