ipf/ipfilter NAT oddity

ipf/ipfilter NAT oddity

Post by Dave Savill » Sun, 25 Jun 2006 23:57:24



I run my laptop via WIFI through a Solaris box running ipfilter and ipf NAT.

ipf.conf:

pass in all
pass out all

(There is an upstream firewall :-) )

ipnat.conf

map hme0 192.168.0.0/16 -> 0/32 proxy port 21 ftp/tcp
map hme0 192.168.0.0/16 -> 0/32 portmap tcp/udp 40000:65000
map hme0 192.168.0.0/16 -> 0/32

Now running Firefox 1.5.0.4 on the laptop some pages work fine and other pages
say "Loading" for ever.

ipmon shows


81.187.184.100,45355 [195.190.132.10,80]

81.187.184.100,45336 [81.187.184.98,33476] Pkts 1/1 Bytes 56/38

81.187.184.100,45337 [81.187.184.98,33477] Pkts 1/1 Bytes 56/38

81.187.184.100,45338 [81.187.184.98,33478] Pkts 1/1 Bytes 56/38

81.187.184.100,45339 [81.187.184.98,33479] Pkts 1/1 Bytes 56/38

81.187.184.100,45340 [81.187.184.98,33480] Pkts 1/1 Bytes 56/38

81.187.184.100,45341 [81.187.184.98,33481] Pkts 1/1 Bytes 56/38

81.187.184.100,45342 [81.187.184.98,33482] Pkts 1/1 Bytes 56/38

81.187.184.100,45343 [81.187.184.98,33483] Pkts 1/1 Bytes 56/38

81.187.184.100,45344 [81.187.184.98,33484] Pkts 1/1 Bytes 56/38

81.187.184.100,45347 [195.190.132.10,80] Pkts 16/16 Bytes 18782/2149

81.187.184.100,45355 [195.190.132.10,80] Pkts 0/1 Bytes 0/40

But nothing seems to happen.

I have had a google but have not found anything useful.

TIA

--

Regards

Dave Saville

NB Remove -nospam for good email address

 
 
 

ipf/ipfilter NAT oddity

Post by Dan Cav » Tue, 27 Jun 2006 20:09:34


Dave

Er... what'  ftp sites are timing out? It might actually be because of
the site's are busy?

Do you use an upstream web proxy which is being controlled by
wccp/other fw for ftp data transfers?

d.

> I run my laptop via WIFI through a Solaris box running ipfilter and ipf NAT.

> ipf.conf:

> pass in all
> pass out all

> (There is an upstream firewall :-) )

> ipnat.conf

> map hme0 192.168.0.0/16 -> 0/32 proxy port 21 ftp/tcp
> map hme0 192.168.0.0/16 -> 0/32 portmap tcp/udp 40000:65000
> map hme0 192.168.0.0/16 -> 0/32

> Now running Firefox 1.5.0.4 on the laptop some pages work fine and other pages
> say "Loading" for ever.

> ipmon shows


> 81.187.184.100,45355 [195.190.132.10,80]

> 81.187.184.100,45336 [81.187.184.98,33476] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45337 [81.187.184.98,33477] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45338 [81.187.184.98,33478] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45339 [81.187.184.98,33479] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45340 [81.187.184.98,33480] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45341 [81.187.184.98,33481] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45342 [81.187.184.98,33482] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45343 [81.187.184.98,33483] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45344 [81.187.184.98,33484] Pkts 1/1 Bytes 56/38

> 81.187.184.100,45347 [195.190.132.10,80] Pkts 16/16 Bytes 18782/2149

> 81.187.184.100,45355 [195.190.132.10,80] Pkts 0/1 Bytes 0/40

> But nothing seems to happen.

> I have had a google but have not found anything useful.

> TIA

> --

> Regards

> Dave Saville

> NB Remove -nospam for good email address


 
 
 

ipf/ipfilter NAT oddity

Post by Dave Savill » Tue, 27 Jun 2006 20:51:24



Quote:

>Dave

>Er... what'  ftp sites are timing out? It might actually be because of
>the site's are busy?

Well the National Lottery results for one  

http://www.national-lottery.co.uk/player/p/results/results.do

But it is not timing out - Any copy of Firefox on my network that is *not*
going through NAT works fine - Including from the box providing the NAT
service.

Quote:>Do you use an upstream web proxy which is being controlled by
>wccp/other fw for ftp data transfers?

No. I have done a bit more poking around. The WIFI thing has nothing to do with
it - I tried a wired connection to the same subnet and it hangs the same. I
also ran iptrace on the laptop. Now I am no expert at looking at the output of
this, but what seems to happen is the GET goes out, the response comes in with
some cookie settings, that gets an ACK and then nowt. At first I thought it
might be something to do with the cookies, but it can't be as the same setup
works if it does *not* go through NAT.

What do I need to trace the IP traffic on the Solaris box? It looks as if the
ACK might not be making it to the remote site.

--

Regards

Dave Saville

NB Remove -nospam for good email address

 
 
 

ipf/ipfilter NAT oddity

Post by Casper H.S. Di » Tue, 27 Jun 2006 21:28:23



>But it is not timing out - Any copy of Firefox on my network that is *not*
>going through NAT works fine - Including from the box providing the NAT
>service.

How was NAT configured to handle FTP?  Note that FTP has a few quirks
in the protocol which may require you to implement ftp proxying on the
NAT.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

ipf/ipfilter NAT oddity

Post by Dave Savill » Wed, 28 Jun 2006 01:32:48




>>But it is not timing out - Any copy of Firefox on my network that is *not*
>>going through NAT works fine - Including from the box providing the NAT
>>service.

>How was NAT configured to handle FTP?  Note that FTP has a few quirks
>in the protocol which may require you to implement ftp proxying on the

I don't know how this got sidetracked by FTP - We are talking HTTP here.

--

Regards

Dave Saville

NB Remove -nospam for good email address

 
 
 

1. ipfilter WARNING: ddi_installdrv: no major number for ipf WARNING: mod_installdrv: Cannot install ipf

This has been discussed before, over multiple threads, about different
Solaris platforms.  However, I believe I may have a new variation of the
problem.  The OS is Solaris7 SPARC, pure 32-bit.

Some of the tell-tale signs are

WARNING: ddi_installdrv: no major number for ipf
WARNING: mod_installdrv: Cannot install ipf
can't load module: Out of memory or no room in system tables
open device: No such device or address
open device: No such device or address
ioctl(SIOCIPFFL): Bad file number
constructing minimal name resolution rules...
open device: No such device or address
1:ioctl(add/insert rule): Bad file number
open device: No such device or address
1:ioctl(add/insert rule): Bad file number
open device: No such device or address
ioctl(SIOCIPFFL): Bad file number
open device: No such device or address
open device: No such device or address
ioctl(SIOCSWAPA): Bad file number
open device: No such device or address
SIOCFRSYN: Bad file number
/dev/ipf: open: No such device or address

Some of the solutions included:

- checking that the /etc/devlinks.tab file is populated with correct
entries - and it is
- running a reconfiguration boot, which I did with `touch /reconfigure; exec
init 6`, and it ran
- verifying that the /dev/ipf* and /devices/pseudo/ipf* files are there -
and they are
- checking that there is an entry in /etc/name_to_major for ipf, and there
is, corresponding to the major number of files in /devices/pseudo/ipf*
- running `rem_drv ipf; add_drv ipf` which is what I also did, and in this
case ipfilter attaches to the interfaces and I can run `/etc/init.d/ipfboot
start` and it starts up.

However, when I reboot, I get the same messages as above, and the ipf module
hasn't been loaded in, because `modinfo | grep ipf` returns nothing.

This has been happening with 3.4.28, 3.4.29, 3.4.33pre2.  Based on this, I
suspect other revisions of the software will exhibit the same behaviour.

I'm not using le0, only qe0 and qe1 (at the moment).

What exactly *IS* the problem in this case, and why won't ipf start
automatically upon reboot?????

2. looking for mail server program

3. Can't compile ipf (ipfiltering) on Solaris 9 with gcc 3.2.3 (64 bit)

4. Diamond or ATI Mach?

5. config for ipf.conf (Ipfilter)

6. LILO grief

7. Using IPFilter to NAT Locally-Generated Traffic

8. enforcing su to root

9. ipf NAT on Solaris with Linux machine

10. IPfilter NAT totally dead

11. nat, ipf and telnet

12. Cable modem: DHCP works - NAT doesn't (ipfilter problem?)

13. ipfilter/NAT with Solaris and 2-cpu machine