Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere
I am using telnet just to see if the port accepts connections. That test works fine internally. We are not running a telnet server. Also, we are telnetting to the pcAnywhere port, not the telnet port. :) - Original Message - From: JJB [EMAIL PROTECTED] To: adp [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, May 07, 2004 7:47 AM Subject: RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere For your telnet test to pcanywhere ports on target Lan pc to work you have to tell telnet on the target to listen on those ports. I believe pcanywhere is one of those applications that imbed the ip address of the remote and host into the packet data and used by the application to establish bi-directional packet exchange. This means that pcanywhere will not work using nated ip address. This is an common design flaw in many 3rd party software providers applications, mostly seen in games and ms/windows netmeeting. Pcanywhere only works over the public internet between two ms/window boxs that use public routable IP address. It will also work between two pc on the Lan because Nating only occurs as packet leaves Lan headed for public internet. If you have an range of static public IP address assigned to you by your ISP then you could assign one of those ip address to the LAN pc you want pcanywhere to work on and you should be good to go. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of adp Sent: Friday, May 07, 2004 12:37 AM To: [EMAIL PROTECTED] Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere This shouldn't be that hard, but I can't get it working. I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I have bridging enabled between the Internet and DMZ interfaces. I now have an internal computer (LAN) that needs to be accessible via pcAnywhere. I can telnet to the pcAnywhere ports on the internal computer fine from the firewall or the LAN. So that works. However, when I configured ipnat to forward my pcAnywhere ports a telnet from the Internet just stalls. My ipnat configuration: # cat /etc/ipnat.conf (xl0 = internet, xl1 = lan, xl2 = dmz) # pcAnywhere # normal nat for office disabled - this is all i have in ipnat.conf rdr xl0 public-ip/32 port 5631 - 192.168.99.9 port 5631 rdr xl0 public-ip/32 port 5632 - 192.168.99.9 port 5632 And I am allowing in accessing via ipf: pass in quick proto tcp from any to public-ip port = 5631 group 200 pass in quick proto udp from any to public-ip port = 5631 group 200 pass in quick proto tcp from any to public-ip port = 5632 group 200 pass in quick proto udp from any to public-ip port = 5632 group 200 (If I take these out I see the ipmon block messages, but with these they go away, so it's not ipf I don't think.) Am I missing something here? This should work! A tcpdump. I am remote (remote-client): %telnet public-ip 5631 Trying public-ip... (just sits there) On the FreeBSD box: # tcpdump -n -i xl0 port 5631 tcpdump: listening on xl0 23:26:41.772801 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416198 0 (DF) [tos 0x10] 23:26:44.772018 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416498 0 (DF) [tos 0x10] 23:26:48.013346 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416818 0 (DF) [tos 0x10] 23:26:51.230241 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:26:54.429267 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:26:57.596288 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:27:03.809921 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:27:16.050057 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] ^C 48 packets received by filter 0 packets dropped by kernel Oh, and again, I do have bridging enabled between Internet and DMZ: My bridge script: #!/bin/sh echo -n Enabling bridging: if sysctl -w net.link.ether.bridge=1 /dev/null 21; then echo activated. else echo failed. fi echo -n Enabling bridging between xl0 and xl2 interfaces: if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 /dev/null 21; then echo activated. else echo failed. fi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list
Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere
adp wrote: I am using telnet just to see if the port accepts connections. That test works fine internally. We are not running a telnet server. Also, we are telnetting to the pcAnywhere port, not the telnet port. :) I've only historical experience with PCAnywhere, nowadays sticking with VNC for this sort of thing, but your post made me google out of interest. One thread alerted me to this interesting entry in /usr/local/share/nmap/nmap-services - I believe it might only be relevant to version 10.5 (and above?) pcanywhere 65301/tcp Several sources mention port 22 as well. Then again, some don't. This seems a moderately well informed example of one that does: http://old.gallantry.com/support/technotes/tn01052403_pcaw/ And at the foot of that page are links to several of Symantec's own techical help documents for this exact issue. This might be useful: http://www.eicon.com/support/helpweb/dlanen/sol7.htm There's some troubleshooting info there. It does seem to matter which version(s) of PCAnywhere you're using. quote Versions of pcAnywhere prior to 7.5 use non-registered TCP/IP ports. All later versions, including v7.5 use the following registered TCP/IP ports: TCP 5631 UDP 5632 You will run into problems when you are using a version of pcAnywhere with non-registered TCP/IP ports on one side of the connection and a version with registered ports on the other side of the connection. Symantec provide a fix for this problem on their FTP server. Please see the Symantec Knowledge Base for further information http://www.symantec.com http://www.symantec.com/ /quote After that, FAQs from various companies show the reasonableness of your approach. For non-FreeBSD-specific configuration details that might give a clue, see: http://www.netopia.com/en-us/equipment/tech/c_faq.html#ph_no_5 and http://help.broadviewnet.net/support/nat-pcanywhere.htm I found two threads discussing a very similar problem with a Cisco router as a gateway, and along with the surprising information that one poster claims to have solved a similar issue by upgrading the drivers of the graphics card in the PCAnywhere host, one resolution is here: http://isp-lists.isp-planet.com/isp-routing/0205/msg00051.html and another here: http://www.tek-tips.com/gviewthread.cfm/pid/34/qid/832487 HTH PWR. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere
For your telnet test to pcanywhere ports on target Lan pc to work you have to tell telnet on the target to listen on those ports. I believe pcanywhere is one of those applications that imbed the ip address of the remote and host into the packet data and used by the application to establish bi-directional packet exchange. This means that pcanywhere will not work using nated ip address. This is an common design flaw in many 3rd party software providers applications, mostly seen in games and ms/windows netmeeting. Pcanywhere only works over the public internet between two ms/window boxs that use public routable IP address. It will also work between two pc on the Lan because Nating only occurs as packet leaves Lan headed for public internet. If you have an range of static public IP address assigned to you by your ISP then you could assign one of those ip address to the LAN pc you want pcanywhere to work on and you should be good to go. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of adp Sent: Friday, May 07, 2004 12:37 AM To: [EMAIL PROTECTED] Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere This shouldn't be that hard, but I can't get it working. I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I have bridging enabled between the Internet and DMZ interfaces. I now have an internal computer (LAN) that needs to be accessible via pcAnywhere. I can telnet to the pcAnywhere ports on the internal computer fine from the firewall or the LAN. So that works. However, when I configured ipnat to forward my pcAnywhere ports a telnet from the Internet just stalls. My ipnat configuration: # cat /etc/ipnat.conf (xl0 = internet, xl1 = lan, xl2 = dmz) # pcAnywhere # normal nat for office disabled - this is all i have in ipnat.conf rdr xl0 public-ip/32 port 5631 - 192.168.99.9 port 5631 rdr xl0 public-ip/32 port 5632 - 192.168.99.9 port 5632 And I am allowing in accessing via ipf: pass in quick proto tcp from any to public-ip port = 5631 group 200 pass in quick proto udp from any to public-ip port = 5631 group 200 pass in quick proto tcp from any to public-ip port = 5632 group 200 pass in quick proto udp from any to public-ip port = 5632 group 200 (If I take these out I see the ipmon block messages, but with these they go away, so it's not ipf I don't think.) Am I missing something here? This should work! A tcpdump. I am remote (remote-client): %telnet public-ip 5631 Trying public-ip... (just sits there) On the FreeBSD box: # tcpdump -n -i xl0 port 5631 tcpdump: listening on xl0 23:26:41.772801 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416198 0 (DF) [tos 0x10] 23:26:44.772018 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416498 0 (DF) [tos 0x10] 23:26:48.013346 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460,nop,wscale 0,nop,nop,timestamp 99416818 0 (DF) [tos 0x10] 23:26:51.230241 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:26:54.429267 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:26:57.596288 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:27:03.809921 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] 23:27:16.050057 remote-client.3755 public-ip.5631: S 2174885259:2174885259(0) win 57344 mss 1460 (DF) [tos 0x10] ^C 48 packets received by filter 0 packets dropped by kernel Oh, and again, I do have bridging enabled between Internet and DMZ: My bridge script: #!/bin/sh echo -n Enabling bridging: if sysctl -w net.link.ether.bridge=1 /dev/null 21; then echo activated. else echo failed. fi echo -n Enabling bridging between xl0 and xl2 interfaces: if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 /dev/null 21; then echo activated. else echo failed. fi ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere
On Thu, May 06, 2004 at 11:37:09PM -0500, adp wrote: And I am allowing in accessing via ipf: pass in quick proto tcp from any to public-ip port = 5631 group 200 pass in quick proto udp from any to public-ip port = 5631 group 200 pass in quick proto tcp from any to public-ip port = 5632 group 200 pass in quick proto udp from any to public-ip port = 5632 group 200 normaly nat happens before the filtering rules are applied so i would try the following: pass in quick proto tcp from any to 192.168.99.9 port = 5631 group 200 . . . hth, toni -- Wer es einmal so weit gebracht hat, dass er nicht | toni at stderror dot at mehr irrt, der hat auch zu arbeiten aufgehoert| Toni Schmidbauer -- Max Planck | pgp0.pgp Description: PGP signature
