Re: Filter problem
Mysterious
>
> We have an specific server that needs to contact a server on the
> internet to verify infomation. It is done through port 443. So I made an
> exception.
>
> Src. IFace: (Private)
> Dst. IFace: (Public)
>
> Packet type: www-https-st
> Src. Port: All
> ACK Bit Filtering: Disabled
> Protocol: TCP
> Dst. Port: 443
> Statefull Filetring: Enabled
>
> Src Addr Type: Host
> Src IP Address: <the_IP_of the windows server>
> Dest Addr Type: Host
> Dest IP Address: <the_IP_of the server on the internet>
>
> In FILT.CFG this looks like this;
> EXCLUDE ENABLED NOLOG, INTRFACE:Q57_1_PRI IP:10.x.x.x, IP:pid=TCP
> port=443 srcport=<All> ackfilt=0 stfilt=1, INTRFACE:Q57_2_PUB
> IP:217.x.x.x,
>
> A same filter is used for a unix host that needs to contact the same
> service for the same purpose, only the src IP Address is different.
>
> A packetscan shows me that the request reaches the BM-server, Src
> 10.x.x.x:1250 Dst 217.x.x.x:443 This is on the private side, the public
> side does not show any packet with the 10.x.x.x nor 217.x.x.x
> addresses.
does it works if you unload ipflt31?
> Is there something with my exception or is this something with BM. We
> have had more of this sort of packetproblems lately, where there were no
> problems befoe we updated from BM3.8SP5 to BM3.8SP2
>
ipflt31.nlm, the filter engine, has remained unchanged since 2005 so
nothing has changed between 3.8 and 3.9.
Mysterious
>
> That is the wierd part, if I unload ipflt it still does not work.
>
> If a use an other route, through an ADSL-modem, it works great.
>
> Erik
>
>
then you do not have a filter issue
1. Verify that server is configured as "router" and not as "end node"
2. Verify that nat is enable on public interface
Mysterious
>
> 2 Yes, it is configured with NAT (Static only, could that be the
> problem?)
>
>
yes if the static mapping with the internal ip is not the one from this
server. And i hope you've got the static mapping using a secondary
public ip.
Mysterious
>
> OK, mysterious,
>
> That was the problem. We added the server to the static NAT table.
>
> Now we have the problem that we have yust a few public addresses and
> many internal addresses we have to configure. I am not able to see
> through what happens if we configure both dynamic and static NAT.
Why do you need so many static assignments? If you just want to provide
access for internal machines to the outside, just use dynamic nat.
> Can we add dynamic whitout security issues?
>
yes
http://www.novell.com/documentation/nbm39/
4.2 NAT Configuration Options and Limitations
This section describes the following configuration options:
*
Section 4.2.1, Selecting a NAT Mode of Operation
*
Section 4.2.2, Dynamic Only
*
Section 4.2.3, Static Only
*
Section 4.2.4, Static and Dynamic
*
Section 4.2.5, Implementing NAT Modes of Operation
*
Section 4.2.6, Considerations for Static Network Address
Translation Tables
*
Section 4.2.7, Assigning Unregistered Addresses to Hosts Using NAT
*
Section 4.2.8, Using Multihoming
*
Section 4.2.9, NAT Limitations
4.2.1 Selecting a NAT Mode of Operation
NAT can be configured to operate in one of three modes: dynamic only,
static only, and a combination of static and dynamic. Dynamic mode is
used to allow hosts on your private network, or intranet, to access a
public network, such as the Internet. Static mode is used to allow hosts
on the public network to access selected hosts on your private network.
The combination mode is used when both dynamic mode and static mode
functions are required.
The following sections describe each NAT mode of operation and discuss
the advantages of using each mode.
4.2.2 Dynamic Only
In dynamic only mode, NAT enables IP hosts on a private network to
access the Internet without requiring an administrator to assign a
globally unique IP address to each system. Instead, the NAT interface is
configured with one public address, and private hosts can then access
the Internet through the NAT interface.
Hosts accessing the Internet are dynamically assigned the IP address
bound to the NAT interface and a port from a pool of available ports
that are constantly reused. Each time a packet is forwarded to the
public network, the private address is replaced with the globally unique
public address and a randomly assigned port. When the session is
completed, the port is returned to the pool to be reassigned as needed.
No connections can be initiated from the public network into your
private network.
All TCP, UDP, and ICMP packets have their source or destination address
(depending on the direction) translated. The public address used for
this translation is the primary IP address of the NAT interface, which
is specified in the Local IP Address parameter.
NAT provides a pool of 5,000 ports for TCP connections, a pool of 5,000
ports for UDP mappings, and a pool of 5,000 ports for ICMP mappings. To
establish a new connection when all 5,000 UDP or ICMP mappings are
already used, NAT drops the oldest mapping and provides a port number to
the new mapping. To establish a new TCP connection when all 5,000
connections are already used, NAT provides a port number to the new
connection by dropping the oldest connection that meets the following
criteria in the order shown:
*
Any connection that has not transmitted packets for more than
eight hours
*
Any connection that has been attempting to connect for two minutes
but has been unsuccessful (that is, the three-way TCP handshake has not
been completed)
4.2.3 Static Only
Static only mode is used for permanent one-to-one mapping of public
registered IP addresses to local IP addresses inside a private network.
Static address translations are recommended when internal hosts, such as
FTP servers or Web servers, are made available to the public network.
In static only mode, NAT is configured with a table of IP address pairs.
Each table entry contains a pair of IP addresses for each host that
public hosts are permitted to access. The first IP address in each pair
is a public IP address to which the private address is mapped; the
second address is the address of the host on your private network.
Because public hosts can access private hosts only by using the private
hosts� public IP addresses, only those hosts that have their IP
addresses defined in the network address translation table are
accessible. The NAT interface drops packets addressed to hosts that do
not have an address mapping entry in the table. Similarly, to allow
private hosts access to the public network using the static only mode,
each private host must have its private IP address mapped to a unique
public IP address in the network address translation table.
IMPORTANT:When NAT runs in dynamic only mode, a single public IP address
and a random port number are assigned to multiple private hosts. When
NAT runs in static only mode, all address mappings must be unique. A
public address in the network address translation table cannot be mapped
to more than one private host.
4.2.4 Static and Dynamic
The combination static and dynamic mode is used if some hosts on your
network require dynamic address translation and other hosts require
static address translation. For example, your private network might have
hosts that you want to access the Internet and might also have resources
that you want to be accessed by public hosts. With the combined static
and dynamic mode, you can use both methods simultaneously.
To use static and dynamic mode, one public address must be configured
for dynamic translations and one public address must be configured for
each private host. Because the static and dynamic mode requires more
than one public address bound to the same NAT interface, secondary IP
addresses (multihoming) must be configured.
You must configure the NAT-enabled interface for multihoming. For more
information, see Using Multihoming.
IMPORTANT:When secondary IP addresses are bound to the NAT interface and
the static and dynamic mode of operation is selected, the NAT interface
automatically uses the primary IP address for dynamic mode. Secondary IP
addresses should be mapped to private host IP addresses in the static
network address translation table.