|
|
[ boki @ 06.03.2005. 16:01 ] @
|
| Ovako, imam 3 masine u LAN-u koje kroz server (WS03) na kome se nalazi WinRoute 6.0.9 izlaze na Verat ADSL (Javna IP). Na masinama u LAN-u rade svi servisi (HTTP, Kazaa, Shareaza, DC++, FTP, IRC) osim SSL-a i Jabber-a. Kada pokusam da otvorim neku https stranicu ostane na "transfering data..." a kada sa PSI-em (probao sam i JAJC)pokusam da se connectujem na jabber stane ovde:
Citat:
<?xml version="1.0"?>
<stream:stream xmlns:stream=" http://etherx.jabber.org/streams" xmlns="jabber:client" to="elitesecurity.org" >
<?xml version='1.0'?><stream:stream xmlns:stream=' http://etherx.jabber.org/streams' id='422B27D7' xmlns='jabber:client' from='elitesecurity.org'>
<iq type="get" id="auth_1" to="elitesecurity.org" >
<query xmlns="jabber:iq:auth">
<username> XXXX</username>
</query>
</iq>
<iq type="result" id="auth_1" >
<query xmlns="jabber:iq:auth">
<username> XXXX</username>
<password/>
<digest/>
<sequence> XXXX</sequence>
<token> XXXX</token>
<resource/>
</query>
</iq>
<iq type="set" id="auth_2" to="elitesecurity.org" >
<query xmlns="jabber:iq:auth">
<username> XXXX</username>
<digest> XXXX</digest>
<resource>Psi gajba</resource>
</query>
</iq>
<iq type="result" id="auth_2" />
<iq type="get" id="aab1a" >
<query xmlns="jabber:iq:roster"/>
</iq>
Jednostavno ne moze da mi udje u mozak koji je problem sa ova 2 servisa koji inace bez problema radi iza NAT-a....
Evo i Traffic Policy iz WinRoute-a:
[img][att_url][/img] |
[ broker @ 06.03.2005. 23:42 ] @
Pravilo za ICMP sigurno nije dobro. Onako blokiras NAT.
ICMP saobracaj u lokalu ti je vec regulisan pravilom a ako hoces ICMP prema napolju i spolja onda napravi takva pravila.
Ne znam da li ti to ometa ova dva protokola ali probaj da iskljucis to pravilo.
Takodje, proveri izvestaj LOGS/Filter. Tu ces videti sve konekcije pa ces primetiti ako neko pravilo ubija neku konekciju.
[ boki @ 07.03.2005. 17:11 ] @
Ne vidim zasto to pravilo nije u redu ali evo stavio sam za ICMP Source:firewall, VeratPPPoE Dest:firewall, VeratPPPoE i ne menja stvari. Probao sam i da iskljucim pravilo i sve je isto... u Logovima nema nista...
Napravio sam evo pravilo Source: any, Dest: any, Service: TCP 5222 i ukljucio logovanje i u filteru dobio ovo:
Citat:
[07/Mar/2005 18:09:05] PERMIT "New rule" packet from LAN, proto:TCP, len:48, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: SYN , seq:2272972150 ack:0, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:48, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: SYN , seq:2272972150 ack:0, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:48, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: SYN ACK , seq:1713035112 ack:2272972151, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet to LAN, proto:TCP, len:48, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: SYN ACK , seq:1713035112 ack:2272972151, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet from LAN, proto:TCP, len:40, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK , seq:2272972151 ack:1713035113, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:40, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK , seq:2272972151 ack:1713035113, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet from LAN, proto:TCP, len:172, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972151 ack:1713035113, win:65535, tcplen:132
[07/Mar/2005 18:09:05] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:172, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972151 ack:1713035113, win:65535, tcplen:132
[07/Mar/2005 18:09:05] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK , seq:1713035113 ack:2272972283, win:65535, tcplen:0
[07/Mar/2005 18:09:05] PERMIT "New rule" packet to LAN, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK , seq:1713035113 ack:2272972283, win:65535, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:185, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK PSH , seq:1713035113 ack:2272972283, win:65535, tcplen:145
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:185, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK PSH , seq:1713035113 ack:2272972283, win:65535, tcplen:145
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from LAN, proto:TCP, len:164, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972283 ack:1713035258, win:65390, tcplen:124
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:164, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972283 ack:1713035258, win:65390, tcplen:124
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK , seq:1713035258 ack:2272972407, win:65535, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK , seq:1713035258 ack:2272972407, win:65535, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:220, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK PSH , seq:1713035258 ack:2272972407, win:65535, tcplen:180
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:220, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK PSH , seq:1713035258 ack:2272972407, win:65535, tcplen:180
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from LAN, proto:TCP, len:252, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972407 ack:1713035438, win:65210, tcplen:212
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:252, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972407 ack:1713035438, win:65210, tcplen:212
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK , seq:1713035438 ack:2272972619, win:65535, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:40, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK , seq:1713035438 ack:2272972619, win:65535, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:71, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK PSH , seq:1713035438 ack:2272972619, win:65535, tcplen:31
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:71, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK PSH , seq:1713035438 ack:2272972619, win:65535, tcplen:31
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from LAN, proto:TCP, len:108, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972619 ack:1713035469, win:65179, tcplen:68
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:108, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK PSH , seq:2272972619 ack:1713035469, win:65179, tcplen:68
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from VeratPPPoE, proto:TCP, len:883, ip/port:217.26.67.165:5222 -> 213.244.233.196:61241, flags: ACK PSH , seq:1713039849 ack:2272972687, win:65535, tcplen:843
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to LAN, proto:TCP, len:883, ip/port:217.26.67.165:5222 -> 192.168.0.11:1609, flags: ACK PSH , seq:1713039849 ack:2272972687, win:65535, tcplen:843
[07/Mar/2005 18:09:06] PERMIT "New rule" packet from LAN, proto:TCP, len:52, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK , seq:2272972687 ack:1713035469, win:65179, tcplen:0
[07/Mar/2005 18:09:06] PERMIT "New rule" packet to VeratPPPoE, proto:TCP, len:52, ip/port:192.168.0.11:1609 -> 217.26.67.165:5222, flags: ACK , seq:2272972687 ack:1713035469, win:65179, tcplen:0
Znaci trebalo bi da paketi prolaze ali Jabb ne radi :( Popizdeo sam nacisto... [ boki @ 20.03.2005. 21:34 ] @
Koliko sam do sada saznao postoji sansa da je problem do toga sto PPPoE ima manji MTU od etherneta (1492:1500) i da neki paketi zbog toga izgleda ne mogu da se pravilno fragmentuju ili sta ja znam sta....
[ boki @ 20.03.2005. 23:10 ] @
Da, radi !!! Razlog je bio MTU !
Evo sta sam uradio
Na serveru:
HKLM\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters\Protocols\0
ProtocolMTU="1400"
Na clientima iza NAT-a:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{hex}
MTU="1400"
Videcu da jos malo experimentisem s'tim...
Copyright (C) 2001-2025 by www.elitesecurity.org. All rights reserved.
|