From owner-freebsd-security Fri Sep 15 9:31:40 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 61BC137B423 for ; Fri, 15 Sep 2000 09:31:38 -0700 (PDT) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id JAA26800 for ; Fri, 15 Sep 2000 09:31:34 -0700 Date: Fri, 15 Sep 2000 09:31:34 -0700 (PDT) From: John F Cuzzola To: freebsd-security@FreeBSD.ORG Subject: icmp + ipfw divert + natd Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, On my network I have all packets routed through a FreeBSD box and nated even for public computers. For example I have a webserver with ip 10.0.0.1. A public ip of say 100.100.100.1 is given as an alias to the firewall box. Then the following ipfw rules are used: 10 divert 7500 tcp from any to 100.100.100.1 80 20 divert 7500 tcp from 10.0.0.1 80 to any established (port 7500 will have natd listening to do the translation) I do the same as above with all services (smtp,pop3,ftp,dns, etc...). Things seem to be working quite well. My question is with icmp. I have a divert line like: 30 divert 7500 icmp from any to 100.100.100.1 icmptypes 0,3,4,8,11 40 divert 7500 icmp from 10.0.0.1 to any icmptypes ????????? My question is rule 40. Which icmp packets should I natd out? I dont care much for "echo reply" but I don't want to break things like MTU Path Discovery. Any comments would be appreciated. Thank-you To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message