Re: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for pcAnywhere

From: adp (dap99_at_i-55.com)
Date: 05/10/04

  • Next message: Doug Poland: "Need help diagnosing hardware failure" 
    To: <Barbish3@adelphia.net>, <questions@freebsd.org>
Date: Mon, 10 May 2004 10:34:46 -0500

    I am using telnet just to see if the port accepts connections. That test
    works fine internally. We are not running a telnet server. Also, we are
    telnetting to the pcAnywhere port, not the telnet port. :)

    ----- Original Message -----
    From: "JJB" <Barbish3@adelphia.net>
    To: "adp" <dap99@i-55.com>; <questions@freebsd.org>
    Sent: Friday, May 07, 2004 7:47 AM
    Subject: RE: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
    pcAnywhere

    > For your telnet test to pcanywhere ports on target Lan pc to work
    > you have to tell telnet on the target to listen on those ports.
    >
    > I believe pcanywhere is one of those applications that imbed the ip
    > address of the remote and host into the packet data and used by the
    > application to establish bi-directional packet exchange. This means
    > that pcanywhere will not work using nated ip address. This is an
    > common design flaw in many 3rd party software providers
    > applications, mostly seen in games and ms/windows netmeeting.
    > Pcanywhere only works over the public internet between two ms/window
    > boxs that use public routable IP address. It will also work between
    > two pc on the Lan because Nating only occurs as packet leaves Lan
    > headed for public internet.
    >
    > If you have an range of static public IP address assigned to you by
    > your ISP then you could assign one of those ip address to the LAN pc
    > you want pcanywhere to work on and you should be good to go.
    >
    >
    > -----Original Message-----
    > From: owner-freebsd-questions@freebsd.org
    > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of adp
    > Sent: Friday, May 07, 2004 12:37 AM
    > To: questions@freebsd.org
    > Subject: Problem with FreeBSD 4.8, ipf, ipfnat and forwarding for
    > pcAnywhere
    >
    > This shouldn't be that hard, but I can't get it working.
    >
    > I have a FreeBSD firewall with three NICs (Internet, LAN, DMZ). I
    > have
    > bridging enabled between the Internet and DMZ interfaces.
    >
    > I now have an internal computer (LAN) that needs to be accessible
    > via
    > pcAnywhere.
    >
    > I can telnet to the pcAnywhere ports on the internal computer fine
    > from the
    > firewall or the LAN. So that works. However, when I configured ipnat
    > to
    > forward my pcAnywhere ports a telnet from the Internet just stalls.
    >
    > My ipnat configuration:
    >
    > # cat /etc/ipnat.conf
    >
    > (xl0 = internet, xl1 = lan, xl2 = dmz)
    >
    > ####################
    > # pcAnywhere
    > # normal nat for office disabled - this is all i have in ipnat.conf
    > rdr xl0 public-ip/32 port 5631 -> 192.168.99.9 port 5631
    > rdr xl0 public-ip/32 port 5632 -> 192.168.99.9 port 5632
    >
    > And I am allowing in accessing via ipf:
    >
    > pass in quick proto tcp from any to public-ip port = 5631 group 200
    > pass in quick proto udp from any to public-ip port = 5631 group 200
    > pass in quick proto tcp from any to public-ip port = 5632 group 200
    > pass in quick proto udp from any to public-ip port = 5632 group 200
    >
    > (If I take these out I see the ipmon block messages, but with these
    > they go
    > away, so it's not ipf I don't think.)
    >
    > Am I missing something here? This should work!
    >
    > A tcpdump. I am remote (remote-client):
    >
    > %telnet public-ip 5631
    > Trying public-ip...
    >
    > (just sits there)
    >
    > On the FreeBSD box:
    >
    > # tcpdump -n -i xl0 port 5631
    > tcpdump: listening on xl0
    > 23:26:41.772801 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
    > 0,nop,nop,timestamp
    > 99416198 0> (DF) [tos 0x10]
    > 23:26:44.772018 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
    > 0,nop,nop,timestamp
    > 99416498 0> (DF) [tos 0x10]
    > 23:26:48.013346 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460,nop,wscale
    > 0,nop,nop,timestamp
    > 99416818 0> (DF) [tos 0x10]
    > 23:26:51.230241 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
    > 23:26:54.429267 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
    > 23:26:57.596288 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
    > 23:27:03.809921 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
    > 23:27:16.050057 remote-client.3755 > public-ip.5631: S
    > 2174885259:2174885259(0) win 57344 <mss 1460> (DF) [tos 0x10]
    > ^C
    > 48 packets received by filter
    > 0 packets dropped by kernel
    >
    > Oh, and again, I do have bridging enabled between Internet and DMZ:
    >
    > My bridge script:
    >
    > #!/bin/sh
    >
    > echo -n "Enabling bridging: "
    > if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then
    > echo "activated."
    > else
    > echo "failed."
    > fi
    >
    > echo -n "Enabling bridging between xl0 and xl2 interfaces: "
    > if sysctl -w net.link.ether.bridge_cfg=xl0,xl2 > /dev/null 2>&1;
    > then
    > echo "activated."
    > else
    > echo "failed."
    > fi
    >
    >
    > _______________________________________________
    > freebsd-questions@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to
    > "freebsd-questions-unsubscribe@freebsd.org"
    >
    >

    _______________________________________________
    freebsd-questions@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

  • Next message: Doug Poland: "Need help diagnosing hardware failure"

    Relevant Pages

    • Re: Have to go to web site twice before it comes up
      ... I've ruled out Internet Explorer. ... Telnet does the same thing. ... it's not limited to port 80. ... running on top of it that will have to be re-set up (e.g. DNS, DHCP, AD, ...
      (microsoft.public.win2000.networking)
    • Re: Relaying error
      ... On the IMS make sure you have an Address Space set to * and that your domain ... make sure you can send mail to the Internet via Telnet ... on Port 25 to make sure Port 25 is open outbound\inbound on your firewall. ...
      (microsoft.public.exchange.connectivity)
    • Re: incomming SMTP not working
      ... test commands on port 25 and that works also. ... So, from outside your network, can you telnet on port 25 to your no-ip ... organization - I suggest you forward your outbound Internet mail to your ... ISP's SMTP server as a smarthost, ...
      (microsoft.public.exchange.admin)
    • Re: Remote access vis pcAnywhere? (Probably OT)
      ... my PC connects to the Internet ... through a LAN, a router, pppoe, DSL. ... do I set up pcAnywhere on a remote computer to access one ... Port forwarding: You must instruct your router to forward ...
      (microsoft.public.win2000.general)
    • RE: Exchange POP3
      ... As for your scenario, we still need to confirm the following points: ... Telnet the pop3.pro-telligent.com on port 110 from the internet and see ... Ping pop3.pro-telligent.com from the internet and see if you can get the ...
      (microsoft.public.windows.server.sbs)