Date: Thu, 17 Jan 2002 07:59:04 -0600 From: jacks@sage-american.com To: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPv4 tunnelling Message-ID: <3.0.5.32.20020117075904.017908f8@mail.sage-american.com> In-Reply-To: <22615.1011262127@axl.seasidesoftware.co.za> References: <Your message of "Thu, 17 Jan 2002 10:32:41 %2B0200." <21074.1011256361@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheldon: Have you considered using variables in your firewall rules and let
the system determine the proper outside interface, i.e.
oif="your os IF"
add allow icmp from any to ${oip} icmptypes 0,3,8,11,12,13,14
add allow icmp from ${oip} to any icmptypes 0,3,8,11,12,13,14
At 12:08 PM 1.17.2002 +0200, Sheldon Hearn wrote:
>
>[I've quoted a large portion of my previous message in case someone
> who wants to read this message deleted that one.
>
> If there's anyone who has lots of clue in this area, is too lazy
> to get stuck into this for free, but would help me for money, please
> send me private mail.]
>
>On Thu, 17 Jan 2002 10:32:41 +0200, Sheldon Hearn wrote:
>
>> Toward this goal, I now have the following configuration for testing:
>>
>> New firewall (public interface 196.31.7.199)
>>
>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>> inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff
>> physical address inet 196.31.7.199 --> 216.123.44.2
>>
>> Old firewall (public interface 216.123.44.2)
>>
>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>> inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff
>> physical address inet 216.123.44.2 --> 196.31.7.199
>>
>> I have the following IPFW rules that ensure that I should be able to
>> ping from the old firewall:
>>
>> add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14
>> add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14
>>
>> Similar rules exist on the new firewall.
>>
>> The new firewall has the following natd configuration:
>>
>> -redirect_address 21.0.21.3 196.31.7.202
>>
>> Also, the new firewall has 196.31.7.202 configured as an inet alias on
>> the public interface.
>>
>> However, when I use ping to test the tunnel from the old firewall, I get
>> this:
>>
>> ping -S 216.123.44.2 216.123.44.3
>> PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes
>> ping: sendto: Permission denied
>>
>> I'm pretty sure I need to do something more, configuration-wise, to get
>> packets to enter and exit the tunnel correctly.
>
>I'm not sure what I changed, but the ping test works now. However, I
>can't connect to port 80 on 216.123.44.3. I set up this IPFW rule to
>forward 216.123.44.3's traffic into the tunnel
>
>fwd 196.31.7.202 ip from any to 216.123.44.3
>
>This relies on the following routing entry, which was created
>automatically when I set up the gif(4) tunnel:
>
>216.123.44.3 196.31.7.202 UH 0 21 gif0 =>
>
>tcpdump on the gif0 interface doesn't show any traffic on it at all
>while I try 'telnet 216.123.44.3 80' from a remote host.
>
>Help! :-)
>
>Ciao,
>Sheldon.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
>
Best regards,
Jack L. Stone,
Server Admin
===================================================
Sage-American
http://www.sage-american.com
jacks@sage-american.com
"My center is giving way, my right is in retreat;
....situation excellent! ....I shall attack!"
===================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020117075904.017908f8>