From owner-freebsd-questions Fri Jul 13 3:35:55 2001 Delivered-To: freebsd-questions@freebsd.org Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4]) by hub.freebsd.org (Postfix) with ESMTP id 6A50337B401; Fri, 13 Jul 2001 03:35:38 -0700 (PDT) (envelope-from ari@suutari.iki.fi) Received: from coffee (coffee.intranet.syncrontech.com [192.168.5.14]) by osku.suutari.iki.fi (8.11.3/8.9.3) with SMTP id f6DAYwq36333; Fri, 13 Jul 2001 13:34:58 +0300 (EEST) (envelope-from ari@suutari.iki.fi) Message-ID: <017d01c10b87$b573a4f0$0e05a8c0@coffee> From: "Ari Suutari" To: , Cc: , References: <20010710110934.D1048@in.nextra.sk> <20010712124152.A80584@sunbay.com> <20010713120211.B4366@in.nextra.sk> Subject: Re: natd and ICMP 3.4 packets Date: Fri, 13 Jul 2001 13:36:42 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, Doesn't sound good that IP header with private IP address gets sent to internet. - after all, the 195.168.3.210 host on internet knows nothing about 10.10.1.2... Ari S. ----- Original Message ----- From: "Bohuslav Plucinsky" To: Cc: ; ; Sent: Friday, July 13, 2001 1:02 PM Subject: Re: natd and ICMP 3.4 packets > Hi Ruslan, > > thanks for your response, but I must dispute. > If 'ip_src' is not aliased, the ICMP packet never reaches the destination > because the private addresses are mostly filtered. Are you sure it was the aim? > > Regards, > > Bohus > > > > > On Thu, Jul 12, 2001 at 12:41:52PM +0300, Ruslan Ermilov wrote: > > On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote: > > > Hi there, > > > > > > I have strange problem with natd and ICMP 3.4 (destination unreachable/ > > > fragmentation needed) packets. > > > > > > Situation: > > > > > > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured > > > xl0 interface have public address 195.168.x.x > > > xl1 interface is connected to our intranet with private addr 10.10.1.1 > > > ipfw show: > > > 00100 0 0 allow ip from any to any via lo0 > > > ... > > > 09200 0 0 divert 8668 ip from any to any via xl0 > > > 09300 0 0 allow ip from any to any > > > > > > natd is running with arguments: natd -n xl0 > > > > > > - behind freebsd box is cisco router with GRE tunnel > > > > > > > > > 195.168.x.x > > > xl0 --------- xl1 10.10.1.0/24 (MTU 1500) > > > -------| FreeBSD |------------------------------------------------------.... > > > --------- | > > > ipfw +NAT | > > > | > > > | 10.10.1.2 > > > ---------- > > > | CISCO 1 | > > > ---------- > > > || > > > || > > > || GRE tunnel (MTU 1476) > > > || > > > || > > > || > > > ---------- > > > | CISCO 2 | > > > ---------- > > > | 10.10.20.0/24 ---- > > > ---------------------------------| PC | > > ---- > > > 10.10.20.2 > > > > > > Problem: > > > > > > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet, > > > natd on FreeBSD box aliases data inside ICMP packet, but not IP headers > > > There is tcpdump on xl1 interface: > > > > > > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to frag (mtu 1476) > > > > > > and on xl0 interface: > > > > > > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to frag (mtu 1476) > > > ^^^^^^^^^ ^^^^^^^^^^^ > > > Is this bug in natd or make I some mistake in configuration? > > > > > This is intentional. > > > > : RCS file: /home/ncvs/src/lib/libalias/alias.c,v > > : Working file: alias.c > > : head: 1.29 > > : branch: > > : locks: strict > > : access list: > > : keyword substitution: kv > > : total revisions: 41; selected revisions: 1 > > : description: > > : ---------------------------- > > : revision 1.23 > > : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13 > > : Changed the way we handle outgoing ICMP error messages -- do > > : not alias `ip_src' unless it comes from the host an original > > : datagram that triggered this error message was destined for. > > : > > : PR: 20712 > > : Reviewed by: brian, Charles Mott > > : ============================================================================ = > > > > I.e., the original IP datagram that caused this ICMP error message > > was not destined for CISCO 1. (The original datagram's header should > > be visible with tcpdump -vv). > > > > Please see PR 20712 for details. > > > > > > Cheers, > > -- > > Ruslan Ermilov Oracle Developer/DBA, > > ru@sunbay.com Sunbay Software AG, > > ru@FreeBSD.org FreeBSD committer, > > +380.652.512.251 Simferopol, Ukraine > > > > http://www.FreeBSD.org The Power To Serve > > http://www.oracle.com Enabling The Information Age > > > > -- > > ====================================================================== > Bohus PLUCINSKY e-mail: plk@in.nextra.sk > Network Engineer > > N E X T R A > Plynarenska 1 tel: +421 7 58 228 111 > 824 71 Bratislava 26 fax: +421 7 58 228 222 > S L O V A K I A http://www.nextra.sk > ======================================================================= > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message