CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: Hide NAT only half working

  1. #1
    Join Date
    2015-06-04
    Posts
    9
    Rep Power
    0

    Default Hide NAT only half working

    Hi guys,

    Have a cluster of 12600's plenty of existing hide nats are working just fine, but this scenario seems to be specific to where an IP reside son a connected interface.

    situation is as follows:


    Checkpoint has a DMZ Interface VIP - 10.10.10.1/24 A- .2 B - .3
    Checkpoint has an Internal interface VIP - 10.1.1.1/24 A- .2 B -.3

    behind the Internal interface is a switch with other subnets, which has server 192.168.10.10

    that sever does not know about 10.10.10.0/24 but it does know about 10.1.1.0/24 so I am hiding the traffic behind this range

    If I use a hide nat address that doesn't exist ie 10.1.1.254 I just see arp requests for that address and it doesn't work
    If I use hide nat address of either .1, .2 or .3 I see this in tcpdump:

    10.10.10.5 -> 192.168.10.10
    10.1.1.1 -> 192.168.10.0
    192.168.10.10 -> 10.1.1.1

    You can see the last part of the nat is missing (10.1.1.1 ->10.10.10.5), the connection times-out even though the server has replied.

    I cannot quite figure it out, I have this issue only when the interface is directly connected to the checkpoint, internal traffic for example can leave the firewall out the external interface and be hidden with no issues.

    Alternatively is there a way I can create a virtual Ip 10.1.1.254 on the firewall? (not sure if that will actually fix it however)

    any ideas?

    thanks!

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    5

    Default Re: Hide NAT only half working

    If the pool IP sits on connected interface you need to setup a proxy arp entry, install policy again and you are done.

  3. #3
    Join Date
    2015-06-04
    Posts
    9
    Rep Power
    0

    Default Re: Hide NAT only half working

    Okay I did just that, added a proxy arp on both clusters for a fake IP address. 10.1.1.251, pushed policy, now I see an arp entry for that IP address (confirmed with fw ctl arp)

    However same issue still occurs, the traffic is natted out, but not unnatted to the original IP address, so using a fake IP and using the real Interface IP is giving the exact same results. traffic goes out, natted, traffic returns but not passed back to the initatior

    any ideas?

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,556
    Rep Power
    8

    Default Re: Hide NAT only half working

    Is it getting dropped with anti spoofing by chance?

    fw ctl zdebug drop

    watch for drops from the 192.168.x.x host.

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,556
    Rep Power
    8

    Default Re: Hide NAT only half working

    another thought, are you sure the return traffic is hitting the firewall? tcpdump -nnei $interface_interface host 192.168.10.x

    the "e" option will print mac address. Compare to phsical interface of internal interface on firewall and next hop the firewall is pointing to for 192.168.10.0 network.

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    5

    Default Re: Hide NAT only half working

    Quote Originally Posted by jflemingeds View Post
    another thought, are you sure the return traffic is hitting the firewall? tcpdump -nnei $interface_interface host 192.168.10.x

    the "e" option will print mac address. Compare to phsical interface of internal interface on firewall and next hop the firewall is pointing to for 192.168.10.0 network.
    I would also bet on this idea: traffic not returning to the firewall.

  7. #7
    Join Date
    2015-06-04
    Posts
    9
    Rep Power
    0

    Default Re: Hide NAT only half working

    Hi guys,

    here are some outputs, would seem to indicate that the server is indeed responding to the hide nat address.. just 10.10.10.5 never recievs it

    confirmed with tcpdump in one session and fw ctl zdebug drop in another session the traffic is not being dropped/no antispoofing drops

    tcpdump with -e flag:

    16:12:30.870211 In xxxx:cd:70:d2:41 ethertype IPv4 (0x0800), length 92: 10.10.10.5.123 > 192.168.10.10.123: NTPv4, Client, length 48
    16:12:30.871038 Out xxxx:7f:53:83:2a ethertype IPv4 (0x0800), length 92: 10.10.10.5.123 > 192.168.10.10.123: NTPv4, Client, length 48
    16:12:30.873588 In xxxx:6a:a4:d2:42 ethertype IPv4 (0x0800), length 92: 192.168.10.10.123 > 10.1.1.251.40180: NTPv4, Server, length 48


    core switch# sh int Vlanxxx
    Hardware is EtherSVI, address is xxxx.6aa4.d242

    [Expert@firewall:0]# fw ctl arp
    (10.1.1.251) at xxxx-7f-53-83-2a

  8. #8
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    5

    Default Re: Hide NAT only half working

    Quote Originally Posted by Flamer View Post
    Hi guys,

    here are some outputs, would seem to indicate that the server is indeed responding to the hide nat address.. just 10.10.10.5 never recievs it

    confirmed with tcpdump in one session and fw ctl zdebug drop in another session the traffic is not being dropped/no antispoofing drops

    tcpdump with -e flag:

    16:12:30.870211 In xxxx:cd:70:d2:41 ethertype IPv4 (0x0800), length 92: 10.10.10.5.123 > 192.168.10.10.123: NTPv4, Client, length 48
    16:12:30.871038 Out xxxx:7f:53:83:2a ethertype IPv4 (0x0800), length 92: 10.10.10.5.123 > 192.168.10.10.123: NTPv4, Client, length 48
    16:12:30.873588 In xxxx:6a:a4:d2:42 ethertype IPv4 (0x0800), length 92: 192.168.10.10.123 > 10.1.1.251.40180: NTPv4, Server, length 48


    core switch# sh int Vlanxxx
    Hardware is EtherSVI, address is xxxx.6aa4.d242

    [Expert@firewall:0]# fw ctl arp
    (10.1.1.251) at xxxx-7f-53-83-2a
    Let's also see

    fw monitor -e "host(10.10.10.5), accept;" -p all

  9. #9
    Join Date
    2015-06-04
    Posts
    9
    Rep Power
    0

    Default Re: Hide NAT only half working

    here you go, to server .10

    [vs_0][fw_6] eth1-04.1095:i0 (tcpt inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i1 (IP Options Strip (in))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i2 (vpn multik forward in)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i3 (vpn decrypt)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i4 (l2tp inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i5 (Stateless verifications (in))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i6 (fw multik misc proto forwarding)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i7 (fw early SIP NAT)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i8 (vpn tagging inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i9 (vpn decrypt verify)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i10 (SecureXL conn sync)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:i11 (fw VM inbound )[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I12 (fw accounting inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I13 (vpn policy inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I14 (SecureXL inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I15 (fw SCV inbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I16 (passive streaming (in))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I17 (TCP streaming (in))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I18 (IP Options Restore (in))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I19 (HA Forwarding)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-04.1095:I20 (Chain End)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-010 (IP Options Strip (out))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-011 (vpn multik forward out)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-012 (vpn nat outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-013 (TCP streaming (out))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-014 (passive streaming (out))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-015 (vpn tagging outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-016 (Stateless verifications (out))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-017 (NAC Packet Outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-018 (fw VM outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O9 (vpn policy outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O10 (SecureXL outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O11 (fw record data outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O12 (l2tp outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O13 (vpn encrypt)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O14 (tcpt outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O15 (fw accounting outbound)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O16 (TCP streaming post VM)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O17 (IP Options Restore (out))[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123
    [vs_0][fw_6] eth1-01:O18 (Chain End)[76]: 10.10.10.5 -> 192.168.10.10 (UDP) len=76 id=6497
    UDP: 123 -> 123



    to another server .100:
    [vs_0][fw_9] eth1-04.1095:i0 (tcpt inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i1 (IP Options Strip (in))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i2 (vpn multik forward in)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i3 (vpn decrypt)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i4 (l2tp inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i5 (Stateless verifications (in))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i6 (fw multik misc proto forwarding)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i7 (fw early SIP NAT)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i8 (vpn tagging inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i9 (vpn decrypt verify)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i10 (SecureXL conn sync)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:i11 (fw VM inbound )[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I12 (fw accounting inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I13 (vpn policy inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I14 (SecureXL inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I15 (fw SCV inbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I16 (passive streaming (in))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I17 (TCP streaming (in))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I18 (IP Options Restore (in))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I19 (HA Forwarding)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-04.1095:I20 (Chain End)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-010 (IP Options Strip (out))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-011 (vpn multik forward out)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-012 (vpn nat outbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-013 (TCP streaming (out))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-014 (passive streaming (out))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-015 (vpn tagging outbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-016 (Stateless verifications (out))[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-017 (NAC Packet Outbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-018 (fw VM outbound)[100]: 10.10.10.5 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=20 seq=0
    [vs_0][fw_9] eth1-01:O9 (vpn policy outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O10 (SecureXL outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O11 (fw record data outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O12 (l2tp outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O13 (vpn encrypt)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O14 (tcpt outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O15 (fw accounting outbound)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O16 (TCP streaming post VM)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O17 (IP Options Restore (out))[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0
    [vs_0][fw_9] eth1-01:O18 (Chain End)[100]: 10.1.1.254 -> 192.168.10.100 (ICMP) len=100 id=200
    ICMP: type=8 code=0 echo request id=55052 seq=0

Similar Threads

  1. HA Manual NAT half working
    By lil_tud in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2011-07-22, 00:33
  2. Replies: 4
    Last Post: 2009-05-29, 11:26
  3. SPLAT on ESX interface is 10Mbps Half
    By n3al10 in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2008-03-31, 10:52
  4. Can checkpoint Support Half NAT?
    By clarkeyi in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2007-02-21, 13:31
  5. Issue with TCP half-close in NGX
    By checkpointfan in forum Authentication
    Replies: 0
    Last Post: 2006-03-06, 02:22

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •