Hello,
It seems that I've got trouble configuring the NSIS NATFWD. The FW part seems to work, but I can't get the NAT part working.
Oddly enough, I get the GistException: Legacy NAT detected. I dug up on the Internet a draft, which implies that the NAT device is not NSIS-enabled, though it very well should be. I figured out that the cause may be that NSIS does not have explicit access to iptables, at least as far as I know. I do not know how to give NSIS explicit access to iptables, other than running nsis as root.
I have however noticed that when having the FWon switched to true, NSIS creates it's own chains in iptables filter table. But the nat table remains untouched, as if NSIS did not have access to it. I've configured the settings as far as I can tell correctly. I'll paste them both below:
NATFW device configuration file:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 2
# This is the only route that is secured by NSIS. # DEFAULT ROUTE NEEDS TO BE FIRST IN LIST! IPv4[1].addr = 10.0.0.2 IPv4[1].net = 0.0.0.0 IPv4[1].mask = 0 # This address is the extrernal address to the public network. IPv4[1].natfw.useAsExternalAddress = yes # Network is public (i.e. the global internet) # IPv4[1].natfw.isPrivateNet = no
# This is the only route that is secured by NSIS. IPv4[0].addr = 192.168.1.3 IPv4[0].net = 192.168.1.0 IPv4[0].mask = 24 # This addrss is not the external address to the public network. # IPv4[0].natfw.useAsExternalAddress = no # Network is private # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# This host runs a NAT and a firewall. Exclusive access to iptables is # recommended... How to enable that? natfw.isNAT = yes natfw.isFW = yes
# Hosts inside the private network can reserve external addresses/ports. # As the above configuration shows, 10.0.0.1 is the only external address this # router has to offer: natfw.resources.IPv4.entries = 1 natfw.resources.IPv4[0].addr = 192.168.1.3
---------------------------------------------------------------------
NSIS-enabled host behind NAT, trying to access public network:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 1
# The first entry is meant as a default route. It is used when # no subsequent entry matches. IPv4[0].addr = 192.168.1.1 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# Not a NAT nor a firewall. natfw.isNAT = no natfw.isFW = no
Got past that problem, now on to the next one. I keep getting odd errors half the time. Can somebody just please explain how to configure the NATFW box as an edge router between the private network 192.168.1.X and the public network 10.0.0.X. This is a virtual network with virtual machines, hence using in truth private LAN topologies and treating them as public Internet. What I want is the NATFW box to act as a proxy between NSIS-enabled private network and NSIS-disabled public network.
Mikael
On Wed, 4 Jul 2007, Mikael Henriksson wrote:
Hello,
It seems that I've got trouble configuring the NSIS NATFWD. The FW part seems to work, but I can't get the NAT part working.
Oddly enough, I get the GistException: Legacy NAT detected. I dug up on the Internet a draft, which implies that the NAT device is not NSIS-enabled, though it very well should be. I figured out that the cause may be that NSIS does not have explicit access to iptables, at least as far as I know. I do not know how to give NSIS explicit access to iptables, other than running nsis as root.
I have however noticed that when having the FWon switched to true, NSIS creates it's own chains in iptables filter table. But the nat table remains untouched, as if NSIS did not have access to it. I've configured the settings as far as I can tell correctly. I'll paste them both below:
NATFW device configuration file:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 2
# This is the only route that is secured by NSIS. # DEFAULT ROUTE NEEDS TO BE FIRST IN LIST! IPv4[1].addr = 10.0.0.2 IPv4[1].net = 0.0.0.0 IPv4[1].mask = 0 # This address is the extrernal address to the public network. IPv4[1].natfw.useAsExternalAddress = yes # Network is public (i.e. the global internet) # IPv4[1].natfw.isPrivateNet = no
# This is the only route that is secured by NSIS. IPv4[0].addr = 192.168.1.3 IPv4[0].net = 192.168.1.0 IPv4[0].mask = 24 # This addrss is not the external address to the public network. # IPv4[0].natfw.useAsExternalAddress = no # Network is private # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# This host runs a NAT and a firewall. Exclusive access to iptables is # recommended... How to enable that? natfw.isNAT = yes natfw.isFW = yes
# Hosts inside the private network can reserve external addresses/ports. # As the above configuration shows, 10.0.0.1 is the only external address this # router has to offer: natfw.resources.IPv4.entries = 1 natfw.resources.IPv4[0].addr = 192.168.1.3
NSIS-enabled host behind NAT, trying to access public network:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 1
# The first entry is meant as a default route. It is used when # no subsequent entry matches. IPv4[0].addr = 192.168.1.1 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# Not a NAT nor a firewall. natfw.isNAT = no natfw.isFW = no
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
Please try with a real public address, not with a private one as 10.0.0.0/8 as public. I belief the NAT part does not work with private addresses. Do you still have the "Legacy NAT detected" problem?
Niklas
Mikael Henriksson schrieb:
Got past that problem, now on to the next one. I keep getting odd errors half the time. Can somebody just please explain how to configure the NATFW box as an edge router between the private network 192.168.1.X and the public network 10.0.0.X. This is a virtual network with virtual machines, hence using in truth private LAN topologies and treating them as public Internet. What I want is the NATFW box to act as a proxy between NSIS-enabled private network and NSIS-disabled public network.
Mikael
On Wed, 4 Jul 2007, Mikael Henriksson wrote:
Hello,
It seems that I've got trouble configuring the NSIS NATFWD. The FW part seems to work, but I can't get the NAT part working.
Oddly enough, I get the GistException: Legacy NAT detected. I dug up on the Internet a draft, which implies that the NAT device is not NSIS-enabled, though it very well should be. I figured out that the cause may be that NSIS does not have explicit access to iptables, at least as far as I know. I do not know how to give NSIS explicit access to iptables, other than running nsis as root.
I have however noticed that when having the FWon switched to true, NSIS creates it's own chains in iptables filter table. But the nat table remains untouched, as if NSIS did not have access to it. I've configured the settings as far as I can tell correctly. I'll paste them both below:
NATFW device configuration file:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 2
# This is the only route that is secured by NSIS. # DEFAULT ROUTE NEEDS TO BE FIRST IN LIST! IPv4[1].addr = 10.0.0.2 IPv4[1].net = 0.0.0.0 IPv4[1].mask = 0 # This address is the extrernal address to the public network. IPv4[1].natfw.useAsExternalAddress = yes # Network is public (i.e. the global internet) # IPv4[1].natfw.isPrivateNet = no
# This is the only route that is secured by NSIS. IPv4[0].addr = 192.168.1.3 IPv4[0].net = 192.168.1.0 IPv4[0].mask = 24 # This addrss is not the external address to the public network. # IPv4[0].natfw.useAsExternalAddress = no # Network is private # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# This host runs a NAT and a firewall. Exclusive access to iptables is # recommended... How to enable that? natfw.isNAT = yes natfw.isFW = yes
# Hosts inside the private network can reserve external addresses/ports. # As the above configuration shows, 10.0.0.1 is the only external address this # router has to offer: natfw.resources.IPv4.entries = 1 natfw.resources.IPv4[0].addr = 192.168.1.3
NSIS-enabled host behind NAT, trying to access public network:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 1
# The first entry is meant as a default route. It is used when # no subsequent entry matches. IPv4[0].addr = 192.168.1.1 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# Not a NAT nor a firewall. natfw.isNAT = no natfw.isFW = no
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
Alright, I switched the 10.0.0.0 network to 193.0.0.0 instead, which afaik should be public Internet zone. I still get the same error messages.
The NATFW box running NATFWD gives this error message when the VoIP box behind the NAT connects to the public zone using NSIS:
(crit) void GistMAEntry::setSock(Socket * sock)
That's the same error I've been getting over and over again. Does this imply a bug in the code, or some error on my part? Oh and the command I run on the VoIP box is:
./nsis-natfw --create -s 192.168.1.1 -d 193.0.0.1 --sport=2020 --dport=30 -x --debug=0
There is no real service behind the dport on 193.0.0.1. All I want is a successful reply back that a pinhole in the NAT has been opened right now. This is rather frustrating here. I cannot find any reference to that error message, though I earlier looked up the place in the source code where that is generated. It didn't make much sense to me.
Any ideas what could be wrong?
Mikael
On Wed, 4 Jul 2007, Niklas Steinleitner wrote:
Please try with a real public address, not with a private one as 10.0.0.0/8 as public. I belief the NAT part does not work with private addresses. Do you still have the "Legacy NAT detected" problem?
Niklas
Mikael Henriksson schrieb:
Got past that problem, now on to the next one. I keep getting odd errors half the time. Can somebody just please explain how to configure the NATFW box as an edge router between the private network 192.168.1.X and the public network 10.0.0.X. This is a virtual network with virtual machines, hence using in truth private LAN topologies and treating them as public Internet. What I want is the NATFW box to act as a proxy between NSIS-enabled private network and NSIS-disabled public network.
Mikael
On Wed, 4 Jul 2007, Mikael Henriksson wrote:
Hello,
It seems that I've got trouble configuring the NSIS NATFWD. The FW part seems to work, but I can't get the NAT part working.
Oddly enough, I get the GistException: Legacy NAT detected. I dug up on the Internet a draft, which implies that the NAT device is not NSIS-enabled, though it very well should be. I figured out that the cause may be that NSIS does not have explicit access to iptables, at least as far as I know. I do not know how to give NSIS explicit access to iptables, other than running nsis as root.
I have however noticed that when having the FWon switched to true, NSIS creates it's own chains in iptables filter table. But the nat table remains untouched, as if NSIS did not have access to it. I've configured the settings as far as I can tell correctly. I'll paste them both below:
NATFW device configuration file:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 2
# This is the only route that is secured by NSIS. # DEFAULT ROUTE NEEDS TO BE FIRST IN LIST! IPv4[1].addr = 10.0.0.2 IPv4[1].net = 0.0.0.0 IPv4[1].mask = 0 # This address is the extrernal address to the public network. IPv4[1].natfw.useAsExternalAddress = yes # Network is public (i.e. the global internet) # IPv4[1].natfw.isPrivateNet = no
# This is the only route that is secured by NSIS. IPv4[0].addr = 192.168.1.3 IPv4[0].net = 192.168.1.0 IPv4[0].mask = 24 # This addrss is not the external address to the public network. # IPv4[0].natfw.useAsExternalAddress = no # Network is private # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# This host runs a NAT and a firewall. Exclusive access to iptables is # recommended... How to enable that? natfw.isNAT = yes natfw.isFW = yes
# Hosts inside the private network can reserve external addresses/ports. # As the above configuration shows, 10.0.0.1 is the only external address this # router has to offer: natfw.resources.IPv4.entries = 1 natfw.resources.IPv4[0].addr = 192.168.1.3
NSIS-enabled host behind NAT, trying to access public network:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 1
# The first entry is meant as a default route. It is used when # no subsequent entry matches. IPv4[0].addr = 192.168.1.1 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# Not a NAT nor a firewall. natfw.isNAT = no natfw.isFW = no
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
-- Niklas Steinleitner Tel: +49 551 3913583 Institute for Informatics steinleitner@cs.uni-goettingen.de University of Göttingen http://www.tmg.informatik.uni-goettingen.de Lotzestrasse 16-18 D-37083 Göttingen, Germany
I looked up that GistMAEntry again. It's in GistMAEntry.cpp in this method:
void GistMAEntry::setSock(Socket * sock) { DebugLogger::print(5, "void GistMAEntry::setSock(Socket * sock)\n"); theSock = sock; if (dynamic_cast<TCPTLSSocket*>(sock) != 0) { profileLength = 2; profile[0] = GIST_STACK_PROTO_TLS; profile[1] = GIST_STACK_PROTO_TCP; } else if (dynamic_cast<TCPSocket*>(sock) != 0) { profileLength = 1; profile[0] = GIST_STACK_PROTO_TCP; } #ifdef SCTP_SUPPORT_FOUND else if (dynamic_cast<SCTPSocket*>(sock) != 0) { profileLength = 1; profile[0] = GIST_STACK_PROTO_SCTP; } #endif // SCTP_SUPPORT_FOUND }
It seems only to be a debug printout, but I wonder what the purpose is of that printout is. I bet it is for debugging, but is the bug fixed? Simply put, is there some bug that prevents me from using NSIS to configure the NATFW box?
As stated, what I want is to be able to create a NAT-mapping in a NATFW virtual machine using NSIS, so that the other NSIS-enabled box can accept incoming connection attempts. Basically dynamically mapping opening ports.
Mikael
On Wed, 4 Jul 2007, Niklas Steinleitner wrote:
Please try with a real public address, not with a private one as 10.0.0.0/8 as public. I belief the NAT part does not work with private addresses. Do you still have the "Legacy NAT detected" problem?
Niklas
Mikael Henriksson schrieb:
Got past that problem, now on to the next one. I keep getting odd errors half the time. Can somebody just please explain how to configure the NATFW box as an edge router between the private network 192.168.1.X and the public network 10.0.0.X. This is a virtual network with virtual machines, hence using in truth private LAN topologies and treating them as public Internet. What I want is the NATFW box to act as a proxy between NSIS-enabled private network and NSIS-disabled public network.
Mikael
On Wed, 4 Jul 2007, Mikael Henriksson wrote:
Hello,
It seems that I've got trouble configuring the NSIS NATFWD. The FW part seems to work, but I can't get the NAT part working.
Oddly enough, I get the GistException: Legacy NAT detected. I dug up on the Internet a draft, which implies that the NAT device is not NSIS-enabled, though it very well should be. I figured out that the cause may be that NSIS does not have explicit access to iptables, at least as far as I know. I do not know how to give NSIS explicit access to iptables, other than running nsis as root.
I have however noticed that when having the FWon switched to true, NSIS creates it's own chains in iptables filter table. But the nat table remains untouched, as if NSIS did not have access to it. I've configured the settings as far as I can tell correctly. I'll paste them both below:
NATFW device configuration file:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 2
# This is the only route that is secured by NSIS. # DEFAULT ROUTE NEEDS TO BE FIRST IN LIST! IPv4[1].addr = 10.0.0.2 IPv4[1].net = 0.0.0.0 IPv4[1].mask = 0 # This address is the extrernal address to the public network. IPv4[1].natfw.useAsExternalAddress = yes # Network is public (i.e. the global internet) # IPv4[1].natfw.isPrivateNet = no
# This is the only route that is secured by NSIS. IPv4[0].addr = 192.168.1.3 IPv4[0].net = 192.168.1.0 IPv4[0].mask = 24 # This addrss is not the external address to the public network. # IPv4[0].natfw.useAsExternalAddress = no # Network is private # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# This host runs a NAT and a firewall. Exclusive access to iptables is # recommended... How to enable that? natfw.isNAT = yes natfw.isFW = yes
# Hosts inside the private network can reserve external addresses/ports. # As the above configuration shows, 10.0.0.1 is the only external address this # router has to offer: natfw.resources.IPv4.entries = 1 natfw.resources.IPv4[0].addr = 192.168.1.3
NSIS-enabled host behind NAT, trying to access public network:
# ******************************************* # ***** General Configuration ***** # *******************************************
# Start Ping and Diagnostics NSLP daemon together with GIST nslp.startPing = yes nslp.startQoS = no nslp.startNatFw = yes nslp.startDiag = yes
# Accept explicitly routed messages (default is yes) gist.acceptExplicitMessages = yes
# Accept GIST DATA messages that do not relate to any GIST state (default is yes) gist.acceptStatelessGistMessage = yes
# ******************************************* # ***** GIST Transport Configuration ***** # *******************************************
## Policies which transport protocols are offered to peers. # Offer SCTP as transport to peers? gist.offerSCTP = no
# Offer TLS over TCP as transport to peers? gist.offerTLS = no
## Policies # Prefer SCTP over TCP as transfer protocol? gist.useSCTP = no
# ******************************************* # ***** GIST Timer Configuration ***** # *******************************************
## All Timeouts are measured in milliseconds
# How long do we wait for a Response to out initial Query? # On retransmission, this value is doubled each time. (default: 10000 ms) gist.timeout.waitForInitialResponse = 10000
# How long do we wait for a Confirm on the Receiver-Side? (default: 10000 ms) gist.timeout.waitForConfirm = 10000
# How long do we wait between sending refreshing Queries? (default: 30000 ms) gist.timeout.refreshInterval = 30000
# How long do we wait for a Response to a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.queryingNodeStateExpiration = 100000
# How long do we wait for a refreshing Query # until state is removed? (default: 100000 ms) gist.timeout.respondingNodeStateExpiration = 100000
# ******************************************* # ***** IP address/routing configurtion ***** # *******************************************
# If readRoutingTable is set to yes, all IP address configuration # used by NSIS is derived from the local IP routing tables and # interface information. # NOTE: If readRoutingTable is set to yes, all remaining IP address # configuration in this file is NOT used by NSIS. readRoutingTable = no
# CAUTION: The address configuration is like a routing table.
# This example IPv4 configuration contains a default route # as well as special configuration for two network segments # (i.e 192.168.0.0/24 and 192.168.1.0/24) IPv4.entries = 1
# The first entry is meant as a default route. It is used when # no subsequent entry matches. IPv4[0].addr = 192.168.1.1 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes # IPv4[0].natfw.isPrivateNet = yes
# ******************************************* # ***** NatFW NSLP Configuration ***** # *******************************************
# Not a NAT nor a firewall. natfw.isNAT = no natfw.isFW = no
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp
-- Niklas Steinleitner Tel: +49 551 3913583 Institute for Informatics steinleitner@cs.uni-goettingen.de University of Göttingen http://www.tmg.informatik.uni-goettingen.de Lotzestrasse 16-18 D-37083 Göttingen, Germany
nsis_imp@informatik.uni-goettingen.de