Re: Sometime NAT, sometimes NOT?

2007-06-13 Thread Geraerts Andy 
Brian,

Despite the fact that I get tons of State Failures I see this strange message
:

Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
failed

Can this be the cause of my errors?

Andy.

-Oorspronkelijk bericht-
Van: Brian A. Seklecki [mailto:[EMAIL PROTECTED]
Verzonden: dinsdag 12 juni 2007 22:03
Aan: Geraerts Andy
CC: misc@openbsd.org
Onderwerp: RE: Sometime NAT, sometimes NOT?


pfctl -x loud   tail -f /var/log/messages

~BAS

On Mon, 11 Jun 2007, Geraerts Andy wrote:


 We have an OpenBSD firewall running for a while now. Since a few days we
 encounter some sort of selective natting. I try to ping a host, I get
reply,
 and 2 minutes later I try to ping the same host and I dont get replies.

 So despite the state being created in both instances, you see a packet
 egress your external interface with the source address of the internal
 host instead of the external interface of the NAT box?

 We indeed see the state being created. The packet egresses on the external
interface without NAT. So the ip packet contains the source ip address of my
laptop and therefor further on the path gets blocked because it isn't natted.
A few seconds/minutes later I try again and everything works again.

 Is there a way to see why it isn't doing the NAT?

 (There are around 80 interfaces (vlan + carp) on the box.)

 Regards,

 Andy.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007
21:42


__

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at :
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos
for the presence of computer viruses.
__

Re: Sometime NAT, sometimes NOT?

2007-06-13 Thread Geraerts Andy 
 Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
 failed

this almost sounds like you have something else which grabs these
ports.  do you, intentionally?

Well I can't find anything that could block it. There is no ftp daemon or ftp
proxy or whatever running on the box. What does the pf do when it tries to
allocate a nat port and doesn't succeed, doesn't it do the nat at all or does
it try again? It could explain the behavior that we see that sometimes packets
aren't natted as they should be. So then can I enlarge the range?

Thanks,

Andy.



No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007
21:42


__

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at :
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos
for the presence of computer viruses.
__

Re: Sometime NAT, sometimes NOT?

2007-06-13 Thread Geraerts Andy 
 Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
 failed

 Can this be the cause of my errors?

Yes, you have run out of available ports to NAT from.

The straightforward answer is to NAT from a larger pool of addresses
i.e.  nat ... - { 1.1.1.1, 2.2.2.2, 3.3.3.0/24}

The 50001:65535 range is set in /usr/src/sbin/pfctl/pfctl_parser.c
(PF_NAT_PROXY_PORT_LOW and ..._HIGH) which might give some opportunity
to shoot yourself in the foot (especially if you don't bother to make
related changes to sysctl net.inet.ip.port* to keep some hiports free
for connections from the box itself).

If I look at the state table, I see :

State Table  Total Rate
  current entries 3744
  searches  2144319853 2594.8/s
  inserts  66107028.0/s
  removals 66069588.0/s

Can I have more NAT port consumption than states? Is there a way to see wich
nat consumes the most ports so I can add ip aliases to this specific nat?

Thanks,

Andy.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.15/847 - Release Date: 12/06/2007
21:42


__

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at :
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos
for the presence of computer viruses.
__

Re: Sometime NAT, sometimes NOT?

2007-06-11 Thread Geraerts Andy 
 We have an OpenBSD firewall running for a while now. Since a few days we
 encounter some sort of selective natting. I try to ping a host, I get
reply,
 and 2 minutes later I try to ping the same host and I dont get replies.

So despite the state being created in both instances, you see a packet
egress your external interface with the source address of the internal
host instead of the external interface of the NAT box?

We indeed see the state being created. The packet egresses on the external
interface without NAT. So the ip packet contains the source ip address of my
laptop and therefor further on the path gets blocked because it isn't natted.
A few seconds/minutes later I try again and everything works again.

Is there a way to see why it isn't doing the NAT?

(There are around 80 interfaces (vlan + carp) on the box.)

Regards,

Andy.



No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.13/843 - Release Date: 10/06/2007
13:39


__

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at :
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos
for the presence of computer viruses.
__

Sometime NAT, sometimes NOT?

2007-06-08 Thread Geraerts Andy 
We have an OpenBSD firewall running for a while now. Since a few days we
encounter some sort of selective natting. I try to ping a host, I get reply,
and 2 minutes later I try to ping the same host and I dont get replies.
Running tcpdump learned us that the packet isnt always being natted. This can
also be seen in the output of following commands :



ping 172.29.28.20



Pinging 172.29.28.20 with 32 bytes of data:



Request timed out.



On the openbsd I see no natting :



[EMAIL PROTECTED]:~ pfctl -vvss | grep -A3 172.29.28.20  | more

self icmp 172.31.255.24:768 - 172.29.28.20:768   0:0

   age 00:00:19, expires in 00:00:07, 4:0 pkts, 240:0 bytes, rule 208

   id: 46632391003339fb creatorid: 6e3eb503



A few minutes later :



ping 172.29.28.20



Pinging 172.29.28.20 with 32 bytes of data:



Reply from 172.29.28.20: bytes=32 time=2ms TTL=62



[EMAIL PROTECTED]:~ pfctl -vvss | grep -A3 172.29.28.20  | more

self icmp 172.31.255.24:768 - 10.9.0.10:768 - 172.29.28.20:768   0:0

   age 00:00:03, expires in 00:00:10, 4:4 pkts, 240:240 bytes, rule 208

   id: 4663239100333d60 creatorid: 6e3eb503



Now the openbsd does the correct nat!? The machine has been running for 2
years and after a power failure we see this problem.



pfctl -si



Status: Enabled for 4 days 15:46:59 Debug: Misc



Hostid: 0x6e3eb503



Interface Stats for em1   IPv4 IPv6

  Bytes In   00

  Bytes Out  0  352

  Packets In

Passed   00

Blocked  00

  Packets Out

Passed   02

Blocked  03



State Table  Total Rate

  current entries 3599

  searches   951532091 2364.5/s

  inserts  33601058.3/s

  removals 33565068.3/s

Counters



  bad-offset 00.0/s

  fragment  780.0/s

  short  00.0/s

  normalize 330.0/s

  memory 00.0/s

  bad-timestamp  00.0/s

  congestion 804430.2/s

  ip-option 460.0/s

  proto-cksum00.0/s

  state-mismatch 247910.1/s

  state-insert 2310.0/s

  state-limit00.0/s

  src-limit  00.0/s

  synproxy   00.0/s





Is this a known bug in 3.7? Since its a company firewall it isnt easy to do
an upgrade ofcourse :-)



Thanks,

Andy Geraerts






No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.11/838 - Release Date: 7/06/2007
14:21


__

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at :
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos
for the presence of computer viruses.
__