From owner-freebsd-security  Tue Aug 29 19:51:28 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147])
	by hub.freebsd.org (Postfix) with ESMTP id 61E7E37B43C
	for <freebsd-security@FreeBSD.ORG>; Tue, 29 Aug 2000 19:51:24 -0700 (PDT)
Received: from long.near.this (long.near.this [10.0.172.9])
	by ogyo.pointer-software.com (8.11.0.Beta3/8.11.0.Beta3) with ESMTP id e7U2p1D32186;
	Wed, 30 Aug 2000 11:51:01 +0900 (JST)
Message-Id: <200008300251.e7U2p1D32186@ogyo.pointer-software.com>
Date: Wed, 30 Aug 2000 11:48:19 +0900
From: horio shoichi <horio@acm.org>
Organization: pointer software
X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.0.34 i686)
X-Accept-Language: ja, en
MIME-Version: 1.0
To: Buliwyf McGraw <buliwyf@libertad.univalle.edu.co>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipnat and icmp (II)
References: <Pine.BSF.4.21.0008281208020.560-100000@libertad.univalle.edu.co>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Received: from acm.org (horio@char.near.this [10.0.172.11])
	by long.near.this (8.9.3/8.9.3) with ESMTP id LAA56699;
	Wed, 30 Aug 2000 11:48:25 +0900 (JST)
X-Received: from acm.org (horio@char.near.this [10.0.172.11])
	by long.near.this (8.9.3/8.9.3) with ESMTP id LAA56699;
	Wed, 30 Aug 2000 11:48:25 +0900 (JST)
X-Message-Id: <39AC75F3.450EE9B3@acm.org>
X-Message-Id: <39AC75F3.450EE9B3@acm.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Buliwyf McGraw wrote:
> 
>   What i want to know is what rule i need to use in Server B, if i want to
>   do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if
>   the answer for the request come from server B, what i want is to know if
>   some server on Internet is alive.
>   Can i do this with ipf/ipnat?
> 
>   I tried something crazy, like:
> 
>   map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000
> 
>   Obviusly, it doesnt work :/
> 
>   Im looking for instructions about it, but in the examples i saw, always
>   talk about NAT for tcp/udp, never icmp. It is possible?

Exactly what I encountered the first day of ipnat.

Assuming your tcp/udp rule is:

	map ed0 192.168.0.0/16 -> 210.1.0.0/24 portmap tcp/udp 10000:20000

you need the following line after the rule:

	map ed0 192.168.0.0/16 -> 210.1.0.0/24

the likely reason of which is that since icmp can't be NATed by the first rule,
it must be translated the other rule.


HTH,

horio shoichi


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message