Date: Fri, 15 Sep 2000 09:31:34 -0700 (PDT) From: John F Cuzzola <vdrifter@ocis.ocis.net> To: freebsd-security@FreeBSD.ORG Subject: icmp + ipfw divert + natd Message-ID: <Pine.LNX.4.21.0009150922040.25503-100000@ocis.ocis.net>
next in thread | raw e-mail | index | archive | help
Hello Everyone, On my network I have all packets routed through a FreeBSD box and nated even for public computers. For example I have a webserver with ip 10.0.0.1. A public ip of say 100.100.100.1 is given as an alias to the firewall box. Then the following ipfw rules are used: 10 divert 7500 tcp from any to 100.100.100.1 80 20 divert 7500 tcp from 10.0.0.1 80 to any established (port 7500 will have natd listening to do the translation) I do the same as above with all services (smtp,pop3,ftp,dns, etc...). Things seem to be working quite well. My question is with icmp. I have a divert line like: 30 divert 7500 icmp from any to 100.100.100.1 icmptypes 0,3,4,8,11 40 divert 7500 icmp from 10.0.0.1 to any icmptypes ????????? My question is rule 40. Which icmp packets should I natd out? I dont care much for "echo reply" but I don't want to break things like MTU Path Discovery. Any comments would be appreciated. Thank-you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0009150922040.25503-100000>