by Hi,
I have a Win 95 inside a private LAN (ppp) that I set up with ip
masquerading.
To start, I had only one very simple rule:
ipfwadm -F -a m -S 192.168.10.0/24 -D 0.0.0.0/0
Everything works fine: www, ftp, etc. Then I installed net2phone
(http://www.net2phone.com), and I'm trying to make it work.
While seting up, net2phone makes a "Test for firewall", and fails in
this test. I set up 2 specific rules for net2phone, then:
ipfwadm -F -a m -b -P udp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
ipfwadm -F -a m -b -P tcp -S 192.168.10.51 10000 -D 0.0.0.0/0 10000
ipfwadm -F -a m -b -P icmp -S 192.168.10.51 10000
and I configured net2phone to use the 10000 port number (it can be
configured to anything you want, according to their website). The
test still fails.
I tcpdumped both by eth0 (private LAN) and ppp0 (internet) while
doing the test, and I think the problem comes in this line from my
ppp0, though I don't know exactly what to do:
12:45:31.461066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:31.461066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]
Any help is appreciated. Please note that I made a "global replace"
of my firewall IP address by w.x.y.z in the dumps, and a replace of
my internal machine by internal.mydomain.com. Forgive my paranoia...
:^>
Follows the traffic generated in the test, as seen by tcpdump in both
interfaces:
********
(eth0)
12:34:40.441066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=20,C) len=42 8404 0000 1f11 100f ce84 d6d5 a984 b8d3 ef90 1a91 0014 1e01 5e68 656c 6c6f 5f71 2031 200a 0000 0000 0000
12:34:40.441066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=20,C) len=42 8504 0000 1f11 86dd ce84 d6d5 a984 4105 ef91 1a91 0014 95cd 5e68 656c 6c6f 5f71 2032 200a 0000 0000 0000
12:34:40.751066 169.132.184.211.6801 > internal.mydomain.com.10000: udp 12 (DF)
12:34:40.751066 0:0:86:16:ff:3 null > 0:20:18:38:18:54 sap 45 I (s=0,r=91,P) len=178 8604 0000 1f11 0d81 ce84 d6d5 a984 b8d3 ef90 1a91 00a2 861a 5e67 6574 6261 6c5f 6571 2030 2030 2e30 2e30 2e30 2031 3030 3030
12:34:40.761066 ap2.labs.idt.net.6801 > internal.mydomain.com.10000: udp 12 (DF)
12:34:43.201066 0:0:86:16:5:6d > Broadcast sap e0 ui/C len=43 ffff 0022 0011 0000 0000 ffff ffff ffff 0452 0000 0000 0000 8616 056d 4008 0001 0004 0000 0000 0000 0000 00
*********
(ppp0)
12:45:12.201066 w.x.y.z.61330 > 169.132.184.211.6801: udp 12
12:45:12.201066 w.x.y.z.61331 > ap2.labs.idt.net.6801: udp 12
12:45:12.571066 169.132.184.211.6801 > internal.mydomain.com.10000: udp 12 (DF)
12:45:12.571066 w.x.y.z.61330 > 169.132.184.211.6801: udp 154 12:45:12.581066 ap2.labs.idt.net.6801 > internal.mydomain.com.10000: udp 12 (DF)
12:45:13.021066 169.132.184.211.62000 > w.x.y.z.10000: S 1448725872:1448725872(0) win 8760 <mss 1460> (DF)
12:45:13.021066 w.x.y.z.10000 > 169.132.184.211.62000: R 0:0(0) ack 1448725873 win 0
12:45:13.341066 169.132.184.211.62003 > w.x.y.z.10000: S 1449001890:1449001890(0) win 8760 <mss 1460> (DF)
12:45:13.341066 w.x.y.z.10000 > 169.132.184.211.62003: R 0:0(0) ack 1449001891 win 0
12:45:13.351066 169.132.184.211.62003 > w.x.y.z.10000: R 1449001891:1449001891(0) win 8760 (DF)
12:45:16.391066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:16.391066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]
12:45:21.371066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:21.371066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]
12:45:26.351066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:26.351066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]
12:45:31.461066 169.132.184.211.46869 > w.x.y.z.6613: udp 55 (DF)
12:45:31.461066 w.x.y.z > 169.132.184.211: icmp: w.x.y.z udp port 6613 unreachable [tos 0xc0]
--
Luiz Otavio L. Zorzella Computer Engineer