From owner-freebsd-net@FreeBSD.ORG Thu Jul 14 18:25:40 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F18616A41C for ; Thu, 14 Jul 2005 18:25:40 +0000 (GMT) (envelope-from tarkhil@webmail.sub.ru) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 89EC643D4C for ; Thu, 14 Jul 2005 18:25:39 +0000 (GMT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 28508 invoked by uid 0); 14 Jul 2005 18:26:48 -0000 Received: from webmail.sub.ru (HELO localhost) (213.247.139.22) by techno.sub.ru with SMTP; 14 Jul 2005 18:26:48 -0000 Received: from unknown ([213.247.139.22]) by localhost (webmail.sub.ru [213.247.139.22]) (amavisd-new, port 10024) with SMTP id 27176-03 for ; Thu, 14 Jul 2005 22:26:41 +0400 (MSD) Received: from webmail.sub.ru (HELO control.sub.ru) (213.247.139.22) by techno.sub.ru with SMTP; 14 Jul 2005 18:26:41 -0000 Received: (qmail 28413 invoked by uid 0); 14 Jul 2005 18:26:40 -0000 Received: from unknown (HELO armada) (192.168.1.251) by control.sub.ru with SMTP; 14 Jul 2005 18:26:40 -0000 Received: (qmail 7331 invoked from network); 14 Jul 2005 18:19:25 -0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by armada with SMTP; 14 Jul 2005 18:19:25 -0000 Message-ID: <42D6ACAD.3030708@webmail.sub.ru> Date: Thu, 14 Jul 2005 22:19:25 +0400 From: Alex Povolotsky User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.8) Gecko/20050704 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: "Giovanni P. Tirloni" References: <42D536EC.5030500@webmail.sub.ru> <9f9a8c4005071322311907b4b@mail.gmail.com> <42D60832.9090206@webmail.sub.ru> <42D65FE4.2030801@tirloni.org> In-Reply-To: <42D65FE4.2030801@tirloni.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at mail.sub.ru Cc: freebsd-net@freebsd.org Subject: Re: GRE and PF problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 18:25:40 -0000 Giovanni P. Tirloni wrote: > Alex Povolotsky wrote: > >> compunction wrote: >> >>> GRE needs to pass bidirectional. You will need a binat to make it >>> work. I have not found a firewall that will allow GRE to work with a >>> many to one nat. >>> >>> >> >> The most painful thing is that pf's nat works for GRE - SOMETIMES :-( >> >> The only thing firewall needs to implement for natting GRE is >> creation of two rules (forward and back) for GRE packet, just like it >> does for ICMP. >> >> I'm not a firewall writer, but as far as I understand general >> procedural programming, it cannot be THAT complicated. > > > When a packet comes from 1.2.3.4 to your external interface you can't > determine if it's destined to 192.168.0.1 or 192.168.0.2 if both > initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have > ports like UDP or TCP to make (de)multiplexing possible, AFAIK. > > http://www.networksorcery.com/enp/protocol/gre.htm > Cool. I did not know that ICMP doesn't work through nat. It always worked for me. Moreover, as far as I remember, GRE worked with IPFW/NATD, and SOMETIMES it works with pf. Alex.