Forum Replies Created

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • February 8, 2006 at 2:42 pm in reply to: Need advice about OSX Server badly #365225
    rcrcr
    Participant

    2. Yes, it is really easy. It can be done from the GUI admin tools.

    3. Enabling VPN is also really easy. Works in a few clicks from the GUI admin tools.

    rcrcr

    February 8, 2006 at 2:22 pm in reply to: Possible NAT problem with SIP softphones on Tiger Server #365223
    rcrcr
    Participant

    Following up on my previous post,

    it looks like the outbound packets are being accepted not by rule 12303, but instead by rule 12341:

    12341 allow log logamount 1000 ip from 10.200.0.0/22 to any

    …which was put in place by Server Admin, and does not have a keep-state. So it seems to me (can you confirm?) that since the outbound traffic is being accepted by 12341 instead of 12303, the state is not being kept and that’s why the inbound UDP in this case is being denied.

    If all that’s true, a followup question would be this:

    Why is 12341 taking precedence over 12303, which comes before it in the rule list?

    rcrcr

    February 8, 2006 at 2:02 pm in reply to: Possible NAT problem with SIP softphones on Tiger Server #365222
    rcrcr
    Participant

    [QUOTE BY= macshome] By default all incoming UDP is blocked by ipfw, but it should allow incoming replies to your requests because of the default keep-state rule.

    What’s a sudo ipfw show spit out on your server?[/QUOTE]

    Great question. I could have sworn that I didn’t see a problem in the ipfw logs, which is why I was honing in on natd as the problem, but sure enough, last night I discovered this:

    Feb 7 18:28:29 nyc-server ipfw: 12341 Accept UDP 10.200.1.137:31134 63.116.XXX.XXX:10658 in via en1
Feb 7 18:28:29 nyc-server ipfw: 65534 Deny UDP 63.116.XXX.XXX:10658 10.200.1.137:31134 in via en0
Feb 7 18:28:29 nyc-server ipfw: 12341 Accept UDP 10.200.1.137:31134 63.116.216.15:10658 in via en1
Feb 7 18:28:29 nyc-server ipfw: 65534 Deny UDP 63.116.XXX.XXX:10658 10.200.1.137:31134 in via en0
Feb 7 18:28:29 nyc-server ipfw: 12341 Accept UDP 10.200.1.137:31134 63.116.XXX.XXX:10658 in via en1
Feb 7 18:28:29 nyc-server ipfw: 65534 Deny UDP 63.116.XXX.XXX:10658 10.200.1.137:31134 in via en0
Feb 7 18:28:29 nyc-server ipfw: 12341 Accept UDP 10.200.1.137:31134 63.116.XXX.XXX:10658 in via en1
Feb 7 18:28:29 nyc-server ipfw: 65534 Deny UDP 63.116.XXX.XXX:10658 10.200.1.137:31134 in via en0
Feb 7 18:28:29 nyc-server ipfw: 12341 Accept UDP 10.200.1.137:31134 63.116.XXX.XXX:10658 in via en1
Feb 7 18:28:29 nyc-server ipfw: 65534 Deny UDP 63.116.XXX.XXX:10658 10.200.1.137:31134 in via en0

    So it looks like ipfw is indeed denying the inbound traffic.

    Confusing thing is, the following rule is in place:

    12303 allow log logamount 1000 udp from any to any out keep-state

    So… why is this happening? Any idea how I might fix it?

    rcrcr

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
Copyright © 2024 AFP548. All Rights Reserved.