Date: Tue, 1 Feb 2000 04:01:55 -0500 From: Ben WIlliams <williamsl@Home.Com> To: freeBSD questions <freebsd-questions@freebsd.org> Subject: ipf, ipnat, private networks and traceroute Message-ID: <2168.000201@Home.Com>
next in thread | raw e-mail | index | archive | help
Tuesday, February 01, 2000 I am using a FreeBSD 3.2-RELEASE box as a NAT box to a private 192.168.0.0 network using ipf and ipnat. I finally managed to get the ipf rules to quit blocking all ICMP packets, but ipnat doesn't seem to be properly translating them to the inside boxes (e.g. for a traceroute from the inside) and I'd like some help fixing that up. I miss having a usable traceroute! My ipnat rules (where AAA.BBB.CCC.DDD is my outside (public) IP address and the 192.168.X.X is an inside IP address) are: # IPNAT configuration file # Unfortunately, you cannot use Dialpad.com behind firewall. Our server cannot # penetrate firewall and send you multimedia packets. To use Dialpad.com # service behind firewall, try to open # # UDP ports 51200, 51201, and TCP port 51210. # for the 4.2.40.XX, 4.2.41.XX, 4.2.48.XX, 4.2.64.XX, and 4.2.74.XX subnet. # (nb: this also calls for additional firewall rules) rdr ex0 AAA.BBB.CCC.DDD/32 port 51200 -> 192.168.X.X port 51200 udp rdr ex0 AAA.BBB.CCC.DDD/32 port 51201 -> 192.168.X.X port 51201 udp rdr ex0 AAA.BBB.CCC.DDD/32 port 51210 -> 192.168.X.X port 51210 tcp # Battle.Net rdr ex0 AAA.BBB.CCC.DDD/32 port 6112 -> 192.168.X.X port 6112 udp #Tribes server rdr ex0 AAA.BBB.CCC.DDD/32 port 28001 -> 192.168.X.X port 28001 tcp/udp # high port FTPd on the inside since my ISP scans for servers rdr ex0 AAA.BBB.CCC.DDD/32 port 2001 -> 192.168.X.X port 21 # identd (mirc) for IRC rdr ex0 AAA.BBB.CCC.DDD/32 port 113 -> 192.168.X.X port 113 # Portmapping map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32 portmap tcp/udp 1025:65000 # Whatever can't be portmapped map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32 It has been my understanding from reading the ip-filter web pages (http://coombs.anu.edu.au/ipfilter/) that the last line maps ICMP packets, but they don't ever seem to be getting back to the inside box. Buglet or did I do something wrong? (I did search the archives first ... I -thought- I had seen this discussion before but I couldn't turn anything up.) -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2168.000201>