From: "Massimo S." <ecs-isp@2rosenthals.com>
Received: from [192.168.100.201] (HELO mail.2rosenthals.com)
  by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10)
  with ESMTP id 11560032 for ecs-isp@2rosenthals.com; Tue, 24 Dec 2024 03:32:50 -0500
Received: from secmgr-va.randr ([192.168.200.201]:60450 helo=mail2.2rosenthals.com)
	by mail.2rosenthals.com with esmtp (Exim 4.97.1)
	(envelope-from <ml@ecomstation.it>)
	id 1tQ0LI-000000003qA-1Jw3
	for ecs-isp@2rosenthals.com;
	Tue, 24 Dec 2024 03:32:43 -0500
Received: from mail2.quasarbbs.net ([80.86.52.115]:10087)
	by mail2.2rosenthals.com with esmtp (Exim 4.97.1)
	(envelope-from <ml@ecomstation.it>)
	id 1tQ0LE-000000007C3-1XDK
	for ecs-isp@2rosenthals.com;
	Tue, 24 Dec 2024 03:32:37 -0500
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_2000_2999 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, SENDER_NO_AUTH 0.000000, SUSP_DH_NEG 0.000000,
	TO_IN_SUBJECT 0.500000, USER_AGENT 0.000000, __ANY_URI 0.000000,
	__BANNER_TRUSTED_SENDER 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000,
	__DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
	__FILESHARE_PHRASE 0.000000, __FORWARDED_MSG 0.000000,
	__FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
	__FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000,
	__HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000,
	__HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000,
	__MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000,
	__NO_HTML_TAG_RAW 0.000000, __REFERENCES 0.000000,
	__REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000,
	__REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000,
	__SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000,
	__URI_NS 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 10%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.12.24.75146
X-SASI-Hits: BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_2000_2999 0.000000,
	BODY_SIZE_5000_LESS 0.000000, BODY_SIZE_7000_LESS 0.000000,
	CTE_7BIT 0.000000, HTML_00_01 0.050000, HTML_00_10 0.050000,
	IN_REP_TO 0.000000, LEGITIMATE_SIGNS 0.000000,
	MSGID_SAMEAS_FROM_HEX_844412 0.100000, MSG_THREAD 0.000000,
	NO_CTA_URI_FOUND 0.000000, NO_URI_HTTPS 0.000000, REFERENCES 0.000000,
	REPLYTO_SAMEAS_FROM 0.000000, SUSP_DH_NEG 0.000000, TO_IN_SUBJECT 0.500000,
	USER_AGENT 0.000000, __ANY_URI 0.000000, __AUTH_RES_PASS 0.000000,
	__BANNER_TRUSTED_SENDER 0.000000, __BODY_NO_MAILTO 0.000000,
	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
	__CT 0.000000, __CTE 0.000000, __CT_TEXT_PLAIN 0.000000,
	__DQ_NEG_DOMAIN 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
	__FILESHARE_PHRASE 0.000000, __FORWARDED_MSG 0.000000,
	__FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
	__FROM_NAME_NOT_IN_BODY 0.000000, __FUR_HEADER 0.000000, __HAS_FROM 0.000000,
	__HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_REPLYTO 0.000000,
	__HEADER_ORDER_FROM 0.000000, __IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000,
	__MIME_BOUND_CHARSET 0.000000, __MIME_TEXT_ONLY 0.000000,
	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_VERSION 0.000000,
	__MOZILLA_USER_AGENT 0.000000, __MSGID_HEX_844412 0.000000,
	__NO_HTML_TAG_RAW 0.000000, __REFERENCES 0.000000,
	__REPLYTO_SAMEAS_FROM_ACC 0.000000, __REPLYTO_SAMEAS_FROM_ADDY 0.000000,
	__REPLYTO_SAMEAS_FROM_DOMAIN 0.000000, __SANE_MSGID 0.000000,
	__SCAN_D_NEG 0.000000, __SCAN_D_NEG2 0.000000, __SCAN_D_NEG_HEUR 0.000000,
	__SCAN_D_NEG_HEUR2 0.000000, __SUBJ_ALPHA_NEGATE 0.000000,
	__SUBJ_REPLY 0.000000, __TO_IN_SUBJECT 0.000000, __TO_MALFORMED_2 0.000000,
	__TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000,
	__TO_REAL_NAMES 0.000000, __URI_MAILTO 0.000000, __URI_NO_WWW 0.000000,
	__URI_NS 0.000000, __USER_AGENT 0.000000
X-SASI-Probability: 10%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 5.1.4, AntispamData: 2024.12.24.75146
Received: from [192.168.10.199] (dtp [192.168.10.199]) by srv2 (Weasel v2.9-0001
 ) for <ecs-isp@2rosenthals.com>; Tue, 24 Dec 2024 09:32:32 -0000
Reply-To: ml@ecomstation.it
Subject: Re: [eCS-ISP] Injoy rule (portmap internet IP -> lan)
To: eCS ISP Mailing List <ecs-isp@2rosenthals.com>
References: <list-11460732@2rosenthals.com>
Organization: Massimo S.
Message-ID: <0dc3630a-402a-f64f-93b9-d6b6076ca70d@ecomstation.it>
Date: Tue, 24 Dec 2024 09:32:31 +0100
User-Agent: Mozilla/5.0 (OS/2; U; Warp 4.5; it-IT; rv:1.7.13) Gecko/20060424
 Thunderbird/1.0.8 Mnenhy/0.7.4.0
MIME-Version: 1.0
In-Reply-To: <list-11460732@2rosenthals.com>
Content-Type: text/plain; charset=iso-8859-15; format=flowed
Content-Language: it-IT
Content-Transfer-Encoding: 7bit

Il 15/12/2024 05:36, Steven Levine ha scritto:
> In <list-11420005@2rosenthals.com>, on 12/13/24
>     at 10:45 AM, "Massimo S." <ecs-isp@2rosenthals.com> said:
> 
> Hi Massimo,
> 
>>> Daytime_in_log
>>> 		Rule-Action = Log,
>>> 		Comment = "Packet received from 93.204.114.105:13",
>>> 		Source = "193.204.114.105",
>>> 		Source-port = "13",
>>> 		Protocol = UDP,
>>> 		Log-Control = Enabled,
>>> 		Log-Mask = "date time severity message resolved_source resolved_dest",
>>> 		Log-File = "daytime_in.log"
>>>
>>> Daytime_out_log
>>> 		Rule-Action = Log,
>>> 		Comment = "Packet received from 192.168.1.10:13",
>>> 		Source = "192.168.1.10",
>>> 		Source-Port = "13",
>>> 		Log-Control = Enabled,
>>> 		Log-Mask = "date time severity message resolved_source resolved_dest",
>>> 		Log-File = "daytime_out.log"
> 
> 
>>> This will allow to verify the your daytime client is really talking to the
>>> ports you think it is.
> 
>> thanks, but this rule do not produce any log
> 
> This confirms what I expected - that your original ruleset did not make
> sense based on my knowledge of daytime servers.  Typically, you would not
> be running an daytime server on your system, but rather you would be
> running at daytime client.  The client would connect to port 13 on the
> external daytime server.
> 
> This might get you some packets traced
> 
> Daytime_out_log
> 		Rule-Action = Log,
> 		Comment = "Packet received from 192.168.1.10:13",
> 		Source = "192.168.1.10",
> 		Destination-Port = "13",
>   		Log-Control = Enabled,
>   		Log-Mask = "date time severity message resolved_source resolved_dest",
>   		Log-File = "daytime_out.log"

hi,

this don't produce any log

but the server has 2 nics one with the public/wan IP and the 2nd is for internal lan 192.168.x.y

i'm starting to believe that Injoy do anything on the NIC2
since it's binded on the NIC1/WAN

massimo

>>> BTW, what daytime client are you trying to use?
>> i don't recall exactly,
> 
> You really ought get that problem fixed.
> 
>   but it works perfectly if i use mlink on the VM1
>> VM1 has 2 Nics
> 
>> maybe Injoy FW can't do what mlink does?
> 
> That's possible, but it still could be your rule set.
> 
>>>> This is the mlink rule:
>>>> link  daytime 0.0.0.0:13   193.204.114.105:13
>>>> access  daytime  192.168.1.10
> 
> Having never used mlink, my read of this rule is that any attempt to
> connect via port 13 will be sent to port 13 at 193.204.114.105 as long as
> the attempt originates from an interface bound to 192.168.1.10.
> 
> I would not call this port forwarding.  It's more link NAT to my way of
> thinking.
> 
> Steven
>