From owner-freebsd-security Thu Aug 31 8: 4:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id A8A2537B423 for ; Thu, 31 Aug 2000 08:04:40 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 13TX0t-0000ID-00; Mon, 28 Aug 2000 16:04:19 -0600 Message-ID: <39AAE1E3.65F12E84@softweyr.com> Date: Mon, 28 Aug 2000 16:04:19 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; FreeBSD 4.1-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Buliwyf McGraw Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipnat and icmp (II) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw wrote: > > > > Question: Can i do masquerade for icmp packets using ipf/ipnat??? > > > > > > For example: > > > A B > > > _ _ > > > |_| Ping Request |_| > > > --- for hotmail --- --> Internet > > > --- --> --- > > > 192.168.1.5 Real IP > > > Using ipf/ipnat > > > |_________________________________________| > > > My Intranet, where the server B > > > do ip masquerade for all the subnet > > > 192.168.1.0 > > > > If you mean "does ipf/ipnat translate ICMP packets properly?" the answer is > > yes. > > What i want to know is what rule i need to use in Server B, if i want to > do a traceroute/ping from 192.168.1.5 to www.hotmail.com, i dont care if > the answer for the request come from server B, what i want is to know if > some server on Internet is alive. > Can i do this with ipf/ipnat? > > I tried something crazy, like: > > map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap icmp 10000:20000 > > Obviusly, it doesnt work :/ > > Im looking for instructions about it, but in the examples i saw, always > talk about NAT for tcp/udp, never icmp. It is possible? This certainly works on my machine: map rl1 192.168.42.0/16 -> rl1/32 portmapping with icmp doesn't make any sense and isn't legal syntax, so don't do that. To combine the two, use the portmap option first, then the more open rule: map ed0 192.168.0.0/16 -> 240.1.0.0/24 portmap tcp/udp 1025:65000 map ed0 192.168.0.0/16 -> 240.1.0.0/24 -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message