[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SAmples.. and "proofs"



Hello,

Again me, still have a problem. Here a sample:

$ sudo pfctl -s nat
nat on ne0 inet from localnetwork/24 to any -> (ne0)
rdr on ne0 inet proto tcp from any to (ne0) port 2000:2020 -> mymachine port 2000:2020
rdr on ne0 inet proto tcp from any to (ne0) port = 1720 -> mymachine port 1720
rdr on ne0 inet proto tcp from any to (ne0) port 30000:30010 -> mymachine port 30000:30010
rdr on ne0 inet proto udp from any to (ne0) port 5000:5003 -> mymachine port 5000:5003
rdr on rl0 inet proto tcp from any to any port = ftp -> 127.0.0.1 port 8021



$ sudo pfctl -s rules
pass in on ne0 inet proto tcp from any to (ne0) port = 1720 keep state
pass in on ne0 inet proto udp from any to (ne0) port 4999 >< 5004 keep state
pass in on ne0 inet proto tcp from any to (ne0) port 29999 >< 30011 keep state


Snippet from tcpdump file on a external interface on openbsd:

17:20:01.115128 remote.49606 > gateway.5002:  udp 489 [tos 0x60]
17:20:01.150493 gateway.1234 > remote.49606:  udp 284 (DF) [tos 0x10]
17:20:01.155267 remote.49606 > gateway.5002:  udp 321 [tos 0x60]
17:20:01.194859 remote.49606 > gateway.5002:  udp 357 [tos 0x60]
17:20:01.200317 gateway.1234 > remote.49606:  udp 1017 (DF) [tos 0x10]
17:20:01.370580 gateway.1234 > remote.49606:  udp 997 (DF) [tos 0x10]
17:20:01.431342 remote.49606 > gateway.5002:  udp 493 [tos 0x60]
17:20:01.467534 remote.49606 > gateway.5002:  udp 280 [tos 0x60]
17:20:01.530761 gateway.1234 > remote.49606:  udp 1029 (DF) [tos 0x10]
17:20:01.644514 remote.49606 > gateway.5002:  udp 411 [tos 0x60]
17:20:01.704229 remote.49606 > gateway.5002:  udp 426 [tos 0x60]
17:20:01.720587 gateway.1234 > remote.49606:  udp 279 (DF) [tos 0x10]
17:20:01.762774 remote.49606 > gateway.5002:  udp 500 [tos 0x60]
17:20:01.770372 gateway.1234 > remote.49606:  udp 1030 (DF) [tos 0x10]
17:20:01.939777 remote.49606 > gateway.5002:  udp 427 [tos 0x60]
17:20:01.940283 gateway.1234 > remote.49606:  udp 987 (DF) [tos 0x10]
17:20:01.995271 remote.49606 > gateway.5002:  udp 480 [tos 0x60]

snippet file from internal interface on openbsd:

17:20:01.200141 local.5002 > remote.49606:  udp 1017 (DF) [tos 0x10]
17:20:01.370363 local.5002 > remote.49606:  udp 997 (DF) [tos 0x10]
17:20:01.530540 local.5002 > remote.49606:  udp 1029 (DF) [tos 0x10]
17:20:01.720397 local.5002 > remote.49606:  udp 279 (DF) [tos 0x10]
17:20:01.770195 local.5002 > remote.49606:  udp 1030 (DF) [tos 0x10]
17:20:01.940063 local.5002 > remote.49606:  udp 987 (DF) [tos 0x10]
17:20:02.100378 local.5002 > remote.49606:  udp 1032 (DF) [tos 0x10]
17:20:02.270023 local.5002 > remote.49606:  udp 286 (DF) [tos 0x10]
17:20:02.320526 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.347419 local.5002 > remote.49606:  udp 292 (DF) [tos 0x10]
17:20:02.420099 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.477382 local.5002 > remote.49606:  udp 169 (DF) [tos 0x10]
17:20:02.548380 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.623911 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.678261 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.749056 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.817317 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.879111 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:02.926525 remote.49607 > local.5003:  udp 88
17:20:02.947969 local.5002 > remote.49606:  udp 421 (DF) [tos 0x10]
17:20:03.017024 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.087318 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.153555 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.218062 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.288225 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.347915 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.417726 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]
17:20:03.486894 local.5002 > remote.49606:  udp 30 (DF) [tos 0x10]

Finally, the snippet on my machine:

17:21:04.124622 local.5002 > remote.49606: udp 1017 (DF) [tos 0x10]
17:21:04.294827 local.5002 > remote.49606: udp 997 (DF) [tos 0x10]
17:21:04.454975 local.5002 > remote.49606: udp 1029 (DF) [tos 0x10]
17:21:04.645009 local.5002 > remote.49606: udp 279 (DF) [tos 0x10]
17:21:04.694606 local.5002 > remote.49606: udp 1030 (DF) [tos 0x10]
17:21:04.864449 local.5002 > remote.49606: udp 987 (DF) [tos 0x10]
17:21:05.024754 local.5002 > remote.49606: udp 1032 (DF) [tos 0x10]
17:21:05.194570 local.5002 > remote.49606: udp 286 (DF) [tos 0x10]
17:21:05.245149 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.271979 local.5002 > remote.49606: udp 292 (DF) [tos 0x10]
17:21:05.344706 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.401960 local.5002 > remote.49606: udp 169 (DF) [tos 0x10]
17:21:05.472990 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.548509 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.602861 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.673645 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.741897 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.803686 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:05.851246 remote.49607 > local.5003: udp 88
17:21:05.872426 local.5002 > remote.49606: udp 421 (DF) [tos 0x10]
17:21:05.941573 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:06.011866 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:06.078083 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]
17:21:06.142597 local.5002 > remote.49606: udp 30 (DF) [tos 0x10]

Remote: host of my friend.
Local: my machine in local network.

As you can see, we have the same port for send/receive...

You can have tcpdump files:
http://www.toodark.org/external
http://www.toodark.org/internal
http://www.toodark.org/machine

I have tried this rules without success:
pass in on ne0 inet proto udp from !192.168.1.2 to (ne0) port 4999 >< 5004 keep state


Thank you very much for your help.

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus