From owner-freebsd-net Fri Jul 13 3: 2: 3 2001 Delivered-To: freebsd-net@freebsd.org Received: from plk.in.nextra.sk (fw.in.nextra.sk [195.168.29.2]) by hub.freebsd.org (Postfix) with ESMTP id 6614337B407; Fri, 13 Jul 2001 03:01:49 -0700 (PDT) (envelope-from plk@in.nextra.sk) Received: (from plk@localhost) by plk.in.nextra.sk (8.11.2/8.11.2) id f6DA2Cs05783; Fri, 13 Jul 2001 12:02:12 +0200 Date: Fri, 13 Jul 2001 12:02:12 +0200 From: Bohuslav Plucinsky To: ru@FreeBSD.org Cc: freebsd-net@FreeBSD.org, freebsd-questions@FreeBSD.org, suutari@iki.fi Subject: Re: natd and ICMP 3.4 packets Message-ID: <20010713120211.B4366@in.nextra.sk> Reply-To: plk@in.nextra.sk References: <20010710110934.D1048@in.nextra.sk> <20010712124152.A80584@sunbay.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010712124152.A80584@sunbay.com>; from ru@freebsd.org on Thu, Jul 12, 2001 at 12:41:52PM +0300 Organization: NEXTRA, Bratislava, SLOVAKIA X-NCC-RegID: sk.nextra Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Ruslan, thanks for your response, but I must dispute. If 'ip_src' is not aliased, the ICMP packet never reaches the destination because the private addresses are mostly filtered. Are you sure it was the aim? Regards, Bohus On Thu, Jul 12, 2001 at 12:41:52PM +0300, Ruslan Ermilov wrote: > On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote: > > Hi there, > > > > I have strange problem with natd and ICMP 3.4 (destination unreachable/ > > fragmentation needed) packets. > > > > Situation: > > > > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured > > xl0 interface have public address 195.168.x.x > > xl1 interface is connected to our intranet with private addr 10.10.1.1 > > ipfw show: > > 00100 0 0 allow ip from any to any via lo0 > > ... > > 09200 0 0 divert 8668 ip from any to any via xl0 > > 09300 0 0 allow ip from any to any > > > > natd is running with arguments: natd -n xl0 > > > > - behind freebsd box is cisco router with GRE tunnel > > > > > > 195.168.x.x > > xl0 --------- xl1 10.10.1.0/24 (MTU 1500) > > -------| FreeBSD |------------------------------------------------------.... > > --------- | > > ipfw +NAT | > > | > > | 10.10.1.2 > > ---------- > > | CISCO 1 | > > ---------- > > || > > || > > || GRE tunnel (MTU 1476) > > || > > || > > || > > ---------- > > | CISCO 2 | > > ---------- > > | 10.10.20.0/24 ---- > > ---------------------------------| PC | > > ---- > > 10.10.20.2 > > > > Problem: > > > > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet, > > natd on FreeBSD box aliases data inside ICMP packet, but not IP headers > > There is tcpdump on xl1 interface: > > > > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to frag (mtu 1476) > > > > and on xl0 interface: > > > > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to frag (mtu 1476) > > ^^^^^^^^^ ^^^^^^^^^^^ > > Is this bug in natd or make I some mistake in configuration? > > > This is intentional. > > : RCS file: /home/ncvs/src/lib/libalias/alias.c,v > : Working file: alias.c > : head: 1.29 > : branch: > : locks: strict > : access list: > : keyword substitution: kv > : total revisions: 41; selected revisions: 1 > : description: > : ---------------------------- > : revision 1.23 > : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13 > : Changed the way we handle outgoing ICMP error messages -- do > : not alias `ip_src' unless it comes from the host an original > : datagram that triggered this error message was destined for. > : > : PR: 20712 > : Reviewed by: brian, Charles Mott > : ============================================================================= > > I.e., the original IP datagram that caused this ICMP error message > was not destined for CISCO 1. (The original datagram's header should > be visible with tcpdump -vv). > > Please see PR 20712 for details. > > > Cheers, > -- > Ruslan Ermilov Oracle Developer/DBA, > ru@sunbay.com Sunbay Software AG, > ru@FreeBSD.org FreeBSD committer, > +380.652.512.251 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age > -- ====================================================================== Bohus PLUCINSKY e-mail: plk@in.nextra.sk Network Engineer N E X T R A Plynarenska 1 tel: +421 7 58 228 111 824 71 Bratislava 26 fax: +421 7 58 228 222 S L O V A K I A http://www.nextra.sk ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message