Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Aug 2000 16:04:19 -0600
From:      Wes Peters <wes@softweyr.com>
To:        Buliwyf McGraw <buliwyf@libertad.univalle.edu.co>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipnat and icmp (II)
Message-ID:  <39AAE1E3.65F12E84@softweyr.com>
References:  <Pine.BSF.4.21.0008281208020.560-100000@libertad.univalle.edu.co>
next in thread | previous in thread | raw e-mail | index | archive | help 
Buliwyf McGraw wrote:
> 
> > >  Question: Can i do masquerade for icmp packets using ipf/ipnat???
> > >
> > >  For example:
> > >        A                        B
> > >        _                        _
> > >       |_|    Ping Request      |_|
> > >       ---    for hotmail       ---             -->    Internet
> > >       ---        -->           ---
> > >   192.168.1.5                Real IP
> > >                             Using ipf/ipnat
> > >   |_________________________________________|
> > >        My Intranet, where the server B
> > >        do ip masquerade for all the subnet
> > >        192.168.1.0
> >
> > If you mean "does ipf/ipnat translate ICMP packets properly?" the answer is
> > yes.
> 
>   What i want to know is what rule i need to use in Server B, if i want to
>   do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if
>   the answer for the request come from server B, what i want is to know if
>   some server on Internet is alive.
>   Can i do this with ipf/ipnat?
> 
>   I tried something crazy, like:
> 
>   map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000
> 
>   Obviusly, it doesnt work :/
> 
>   Im looking for instructions about it, but in the examples i saw, always
>   talk about NAT for tcp/udp, never icmp. It is possible?

This certainly works on my machine:

	map rl1 192.168.42.0/16 -> rl1/32

portmapping with icmp doesn't make any sense and isn't legal syntax, so don't do 
that. To combine the two, use the portmap option first, then the more open rule:


	map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap tcp/udp 1025:65000
	map ed0 192.168.0.0/16 -> 240.1.0.0/24

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39AAE1E3.65F12E84>