Date: Thu, 17 Jan 2002 07:59:04 -0600 From: jacks@sage-american.com To: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPv4 tunnelling Message-ID: <3.0.5.32.20020117075904.017908f8@mail.sage-american.com> In-Reply-To: <22615.1011262127@axl.seasidesoftware.co.za> References: <Your message of "Thu, 17 Jan 2002 10:32:41 %2B0200." <21074.1011256361@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheldon: Have you considered using variables in your firewall rules and let the system determine the proper outside interface, i.e. oif="your os IF" add allow icmp from any to ${oip} icmptypes 0,3,8,11,12,13,14 add allow icmp from ${oip} to any icmptypes 0,3,8,11,12,13,14 At 12:08 PM 1.17.2002 +0200, Sheldon Hearn wrote: > >[I've quoted a large portion of my previous message in case someone > who wants to read this message deleted that one. > > If there's anyone who has lots of clue in this area, is too lazy > to get stuck into this for free, but would help me for money, please > send me private mail.] > >On Thu, 17 Jan 2002 10:32:41 +0200, Sheldon Hearn wrote: > >> Toward this goal, I now have the following configuration for testing: >> >> New firewall (public interface 196.31.7.199) >> >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff >> physical address inet 196.31.7.199 --> 216.123.44.2 >> >> Old firewall (public interface 216.123.44.2) >> >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff >> physical address inet 216.123.44.2 --> 196.31.7.199 >> >> I have the following IPFW rules that ensure that I should be able to >> ping from the old firewall: >> >> add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14 >> add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14 >> >> Similar rules exist on the new firewall. >> >> The new firewall has the following natd configuration: >> >> -redirect_address 21.0.21.3 196.31.7.202 >> >> Also, the new firewall has 196.31.7.202 configured as an inet alias on >> the public interface. >> >> However, when I use ping to test the tunnel from the old firewall, I get >> this: >> >> ping -S 216.123.44.2 216.123.44.3 >> PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes >> ping: sendto: Permission denied >> >> I'm pretty sure I need to do something more, configuration-wise, to get >> packets to enter and exit the tunnel correctly. > >I'm not sure what I changed, but the ping test works now. However, I >can't connect to port 80 on 216.123.44.3. I set up this IPFW rule to >forward 216.123.44.3's traffic into the tunnel > >fwd 196.31.7.202 ip from any to 216.123.44.3 > >This relies on the following routing entry, which was created >automatically when I set up the gif(4) tunnel: > >216.123.44.3 196.31.7.202 UH 0 21 gif0 => > >tcpdump on the gif0 interface doesn't show any traffic on it at all >while I try 'telnet 216.123.44.3 80' from a remote host. > >Help! :-) > >Ciao, >Sheldon. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin =================================================== Sage-American http://www.sage-american.com jacks@sage-american.com "My center is giving way, my right is in retreat; ....situation excellent! ....I shall attack!" =================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020117075904.017908f8>