Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Aug 2001 13:37:53 -0400
From:      John Rasile <jrasile@regionten.org>
To:        questions@freebsd.org
Subject:   natd IPFW and inside subnets
Message-ID:  <20010824133753.A44785@pam.regionten.org>
next in thread | raw e-mail | index | archive | help 
Hi,

We recently installed 4.2 release. We are running natd and firewall. 
We can ping outside IPs with no problem and the same subnet bound to
the inside NIC;

%ping pam
PING pam.regionten.org (172.16.1.2): 56 data bytes
64 bytes from 172.16.1.2: icmp_seq=0 ttl=255 time=0.076 ms
64 bytes from 172.16.1.2: icmp_seq=1 ttl=255 time=0.035 ms
64 bytes from 172.16.1.2: icmp_seq=2 ttl=255 time=0.027 ms
^C
--- pam.regionten.org ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.027/0.046/0.076/0.021 ms

however, when we try to ping subnets other than subnet bound 
to the inside IP we get:

pam# ping 172.16.27.202
PING 172.16.27.202 (172.16.27.202): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C

The "Permission denied" leads me think that it's a firewall issue but I'm
not sure. The ICMP rules I have defined are:

### ICMP RULES pilfered from mostgraveconcern.com

        # ICMP packets
        # Allow all ICMP packets on internal interface
        ${fwcmd} add pass icmp from any to any via ${iif}

        # Allow outgoing pings
        ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif}
        ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}

        # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Header
        ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif}

We have users on WAN links that need to get to the mail server but can't. Can 
anyone give me a hint where to look?

Please reply to me directly as I am not yet subscribed to the list.

Thanks

John

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010824133753.A44785>