Forwarding through Firewall not working?
Wed Nov 20 20:04:00 2002
I think your basic setup for testing is flawed.
You are trying to test going through a firewall by going from a local
network, out to the internet, back in through the WAN side of your firewall,
and on to your second box (on the same LAN).
If this is not what you're trying to do, ignore most of what follows, as I
clearly misunderstood what you're trying :-)
[SNIP to second trace]
> 15:33:09.30 > ss00.44378 > m31-mp1.cvx3-a.pop.dial.ntli.net.5800: S
1000303348:1000303348(0) win 5840 <mss 1460,sackOK,timestamp 260101419
0,nop,wscale 0> (DF)
====>try to connect to port on firewall
> 15:33:09.30 B arp who-has qgw tell ss02fw /* firewall determining where
to send the inbound traffic I guess? */
====>firewall forwards the request to local 'qgw'
> 15:33:09.30 P arp reply qgw is-at 0:c0:9f:7:92:93 (0:80:c8:e0:e5:72)
> 15:33:09.30 P ss00.44378 > qgw.5800: S 1000303348:1000303348(0) win 5840
<mss 1460,sackOK,timestamp 260101419 0,nop,wscale 0> (DF)
====> packet is forwarded. Note that source address would be 'ss00' dest
address has likely been changed by firewall to 'qgw'
> 15:33:09.30 B arp who-has ss00 tell qgw /*wtf??*/
====> 'ss0' sees that 'qgw' is on local LAN, so will send directly back to
'qgw'. So it does an ARP request
> 15:33:09.30 > arp reply ss00 (0:a0:cc:52:96:36) is-at 0:a0:cc:52:96:36
> 15:33:09.30 < qgw.5800 > ss00.44378: S 284564:284564(0) ack 1000303349 win
8760 <mss 1460> (DF)
====> sso tries to ACK the connection. Note that is source address is 'SS0'
> 15:33:09.30 > ss00.44378 > qgw.5800: R 1000303349:1000303349(0) win 0 (DF)
====> 'qgw' doesn't accept the ACK (cause he's trying to talk to 'M31....',
[SNIP rest of mail]
Basically, everything is working as it should. I presume that the firewall
is running NAT, in which case it would normally translate addresses
originating from the inside. Except, in this case, since the traffic is
destined for an internal address it appears to your firewall that the
connection is one initiated from an external address===> in this case it
will not translate the source address. Clear as mud.
To test your setup, you're going to have to move the second system off the