From owner-freebsd-questions Thu Jan 17 5:59:54 2002 Delivered-To: freebsd-questions@freebsd.org Received: from sage-american.com (sage-american.com [216.122.141.44]) by hub.freebsd.org (Postfix) with ESMTP id 7B53837B416 for ; Thu, 17 Jan 2002 05:59:46 -0800 (PST) Received: from SAGEONE (adsl-64-219-20-175.dsl.crchtx.swbell.net [64.219.20.175]) by sage-american.com (8.9.3/8.9.3) with SMTP id HAA13192; Thu, 17 Jan 2002 07:59:12 -0600 (CST) Message-Id: <3.0.5.32.20020117075904.017908f8@mail.sage-american.com> X-Sender: jacks@mail.sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 17 Jan 2002 07:59:04 -0600 To: Sheldon Hearn , freebsd-questions@FreeBSD.ORG From: jacks@sage-american.com Subject: Re: IPv4 tunnelling In-Reply-To: <22615.1011262127@axl.seasidesoftware.co.za> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sheldon: Have you considered using variables in your firewall rules and let the system determine the proper outside interface, i.e. oif="your os IF" add allow icmp from any to ${oip} icmptypes 0,3,8,11,12,13,14 add allow icmp from ${oip} to any icmptypes 0,3,8,11,12,13,14 At 12:08 PM 1.17.2002 +0200, Sheldon Hearn wrote: > >[I've quoted a large portion of my previous message in case someone > who wants to read this message deleted that one. > > If there's anyone who has lots of clue in this area, is too lazy > to get stuck into this for free, but would help me for money, please > send me private mail.] > >On Thu, 17 Jan 2002 10:32:41 +0200, Sheldon Hearn wrote: > >> Toward this goal, I now have the following configuration for testing: >> >> New firewall (public interface 196.31.7.199) >> >> gif0: flags=8051 mtu 1280 >> inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff >> physical address inet 196.31.7.199 --> 216.123.44.2 >> >> Old firewall (public interface 216.123.44.2) >> >> gif0: flags=8051 mtu 1280 >> inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff >> physical address inet 216.123.44.2 --> 196.31.7.199 >> >> I have the following IPFW rules that ensure that I should be able to >> ping from the old firewall: >> >> add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14 >> add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14 >> >> Similar rules exist on the new firewall. >> >> The new firewall has the following natd configuration: >> >> -redirect_address 21.0.21.3 196.31.7.202 >> >> Also, the new firewall has 196.31.7.202 configured as an inet alias on >> the public interface. >> >> However, when I use ping to test the tunnel from the old firewall, I get >> this: >> >> ping -S 216.123.44.2 216.123.44.3 >> PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes >> ping: sendto: Permission denied >> >> I'm pretty sure I need to do something more, configuration-wise, to get >> packets to enter and exit the tunnel correctly. > >I'm not sure what I changed, but the ping test works now. However, I >can't connect to port 80 on 216.123.44.3. I set up this IPFW rule to >forward 216.123.44.3's traffic into the tunnel > >fwd 196.31.7.202 ip from any to 216.123.44.3 > >This relies on the following routing entry, which was created >automatically when I set up the gif(4) tunnel: > >216.123.44.3 196.31.7.202 UH 0 21 gif0 => > >tcpdump on the gif0 interface doesn't show any traffic on it at all >while I try 'telnet 216.123.44.3 80' from a remote host. > >Help! :-) > >Ciao, >Sheldon. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin =================================================== Sage-American http://www.sage-american.com jacks@sage-american.com "My center is giving way, my right is in retreat; ....situation excellent! ....I shall attack!" =================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message