[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AIM connection issues



fixed.
the issue was that i had additional addresses aliased onto the external
interface and did not have an address explicitly defined for NAT between the lan
and the internet:
nat pass on $EXTIF from $INTIF:network to any -> ($EXTIF)
it would seem that pf doesn't always pick the primary interface address in cases
like these. changing it to
nat pass on $EXTIF from $INTIF:network to any -> xxx.xxx.xxx.xxx
has resolved the issue. thanks for your help!
-- 
Florian Mosleh
Network & Admin. Support Manager
Capitol College
301.369.2800 ext.2040
800.950.1992 ext.2040
Quoting florian mosleh <[email protected]>:
> I am interested in Brian Kerr's suggestion, but I guess I'll have to wait
> until
> Monday. Thank you.
> 
> In response to M Raju, here's my pf.conf. 
> 
> njoy.
> 
> 
> 
> -----------begin pf.conf
> 
> 
> ## here are my macros
> EXTIF="xl2"
> DMZIF="xl1"
> INTIF="xl0"
> 
> #DMZ
> DORMS="10.0.0.11"
> DORMSEXT="x.x.x.12"
> DAVINCI="10.0.0.13"
> DAVINCIEXT="x.x.x.13"
> COOLIDGE="192.168.28.65"
> COOLIDGEEXT="x.x.x.14"
> 
> 
> HTTP_PORTS="{ 80, 443 }"
> MAIL_PORTS="{ 25, 143, 220, 109, 110, 993, 995 }"
> 
> 
> ##these are runtime options for pf to make it fit our needs better
> set block-policy return
> set loginterface $EXTIF
> 
> 
> ##scrub adds an extra layer of packet defragmentation to the good 'ol
> native
> tcp
>  one
> scrub in all
> scrub out all
> 
> 
> ##queuing. let's give qos a shot
> altq on xl2 cbq bandwidth 100% queue { main, dorms, misc }
> queue main bandwidth 50% cbq(borrow) { pri_q, def_q }
>         queue pri_q bandwidth 10% priority 7
>         queue def_q bandwidth 90% priority 1 cbq(borrow)
> queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q }
>         queue dorms_http_q bandwidth 70% priority 4 cbq(borrow)
>         queue dorms_pri_q bandwidth 10% priority 6
>         queue dorms_mail_q bandwidth 20% priority 5
> queue misc bandwidth 15% priority 2 cbq(default)
> 
> ##nat and redirection (i love this part)
> nat pass on $EXTIF from $INTIF:network to any -> ($EXTIF)
> 
> binat on $EXTIF from $DORMS to any -> $DORMSEXT
> 
> binat on $EXTIF from $DAVINCI to any -> $DAVINCIEXT
> rdr on $INTIF proto tcp from any to $DAVINCIEXT -> $DAVINCI
> 
> binat on $EXTIF from $COOLIDGE to any -> $COOLIDGEEXT
> binat pass on $INTIF from $COOLIDGE to any -> $COOLIDGEEXT
> rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 -> $COOLIDGE port
> 8888
> rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 -> $COOLIDGE
> rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 ->
> 127.
> 0.0.1 port 8888
> rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306
> ->
> 12
> 7.0.0.1 port 3306
> 
> rdr on $INTIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> 
> rdr pass on $EXTIF proto tcp from any to ($EXTIF) port 5555 ->
> 192.168.28.80
> 
> 
> ##filter rules
> antispoof for xl2
> 
> 
> block log all
> 
> 
> 
> pass on lo0 all
> 
> 
> pass in inet proto icmp all icmp-type echoreq keep state
> 
> 
> pass in on $INTIF from $INTIF:network to any keep state queue def_q
> pass out on $INTIF from any to $INTIF:network keep state
> 
> pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state
> queue
>  pri_q
> pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
> queu
> e pri_q
> 
> 
> pass in on $DMZIF from $DORMS to any keep state
> pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q
> pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
> pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state
> queu
> e dorms_http_q
> pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state
> pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state
> queu
> e dorms_mail_q
> pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state
> pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue
> dorms_p
> ri_q
> pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue
> dorms
> pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state
> 
> pass in on $DMZIF from $DAVINCI to any keep state
> pass out on $DMZIF from any to $DAVINCI keep state queue misc
> pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state
> 
> pass in on $EXTIF proto tcp from any to $COOLIDGE port 8888 keep state
> pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
> pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
> #pass in on $INTIF proto tcp from any to $COOLIDGE port 8888 keep state
> #pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state
> pass out on $INTIF from $COOLIDGE to any keep state
> 
> pass out on $EXTIF proto tcp all modulate state flags S/SA
> pass out on $EXTIF proto { udp, icmp } all keep state
> 
> 
> pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags
> S/SA
> keep state
> pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc
> 
> -------end pf.conf
> 
> -- 
> Florian Mosleh
> Network & Admin. Support Manager
> Capitol College
> 
> 301.369.2800 ext.2040
> 800.950.1992 ext.2040
> 
> 
> Quoting M Raju <[email protected]>:
> 
> > No pf.conf == No Answer.  Sanitize and post your pf.conf. 
> > 
> > _Raju
> > 
> > 
> > On Fri, 25 Mar 2005 13:03:38 -0500, florian mosleh
> > <[email protected]> wrote:
> > > Hello,
> > > 
> > > I have a new firewall in development for the college i work at. I have
> > tried
> > > extensively googling this issue in various ways and have not managed to
> > find
> > > anything that seems pertinent.
> > > 
> > > Essentially, the problem I'm having is that a client that connects to
> the
> > > internet through the new firewall (pf on openbsd 3.6) has problems
> > establishing
> > > a connection to AIM (login.oscar.aol.com). I have performed severl
> > ethereal
> > > packet sniffing sessions and can confirm that there is a successful
> > connection
> > > established between the server and the client and then it just drops.
> > Usually
> > > after about an hour or two of stubborn retrying and waiting it
> eventually
> > > works.
> > > 
> > > Are there any possible pf configuration snafus that could be at fault?
> > > 
> > > The only other factor that I see as possibly contributing to the
> problem
> > (i'm
> > > not sure how) is that the internet connection is a set of 4 bonded t1s,
> but
> > I've
> > > been given the impression that this shouldn't make a difference.
> > > 
> > > Thanks.
> > > 
> > > --
> > > Florian Mosleh
> > > Network & Admin. Support Manager
> > > Capitol College
> > > 
> > > 301.369.2800 ext.2040
> > > 800.950.1992 ext.2040
> > > 
> > > ----------------------------------------------------------------
> > > This message was sent using IMP, the Internet Messaging Program.
> > > 
> > 
> > 
> > -- 
> > May the packets be with you.
> > 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.