Date: Thu, 17 Jan 2002 08:11:01 -0600 From: jacks@sage-american.com To: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPv4 tunnelling Message-ID: <3.0.5.32.20020117081101.017908f8@mail.sage-american.com> In-Reply-To: <3.0.5.32.20020117075904.017908f8@mail.sage-american.com> References: <22615.1011262127@axl.seasidesoftware.co.za> <Your message of "Thu, 17 Jan 2002 10:32:41 %2B0200." <21074.1011256361@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheesh! Correction: For the variable, obviously I meant:
oip="your os IF" which acn be determined this way:
oip=`ifconfig tun0 | awk '/inet / {print $2}'`
At 07:59 AM 1.17.2002 -0600, jacks@sage-american.com wrote:
>Sheldon: Have you considered using variables in your firewall rules and let
>the system determine the proper outside interface, i.e.
>oif="your os IF"
>
>add allow icmp from any to ${oip} icmptypes 0,3,8,11,12,13,14
>add allow icmp from ${oip} to any icmptypes 0,3,8,11,12,13,14
>
>At 12:08 PM 1.17.2002 +0200, Sheldon Hearn wrote:
>>
>>[I've quoted a large portion of my previous message in case someone
>> who wants to read this message deleted that one.
>>
>> If there's anyone who has lots of clue in this area, is too lazy
>> to get stuck into this for free, but would help me for money, please
>> send me private mail.]
>>
>>On Thu, 17 Jan 2002 10:32:41 +0200, Sheldon Hearn wrote:
>>
>>> Toward this goal, I now have the following configuration for testing:
>>>
>>> New firewall (public interface 196.31.7.199)
>>>
>>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>>> inet 216.123.44.3 --> 196.31.7.202 netmask 0xffffffff
>>> physical address inet 196.31.7.199 --> 216.123.44.2
>>>
>>> Old firewall (public interface 216.123.44.2)
>>>
>>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>>> inet 196.31.7.202 --> 216.123.44.3 netmask 0xffffffff
>>> physical address inet 216.123.44.2 --> 196.31.7.199
>>>
>>> I have the following IPFW rules that ensure that I should be able to
>>> ping from the old firewall:
>>>
>>> add allow icmp from any to 216.123.44.2 icmptypes 0,3,8,11,12,13,14
>>> add allow icmp from 216.123.44.0/24 to any icmptypes 0,3,8,11,12,13,14
>>>
>>> Similar rules exist on the new firewall.
>>>
>>> The new firewall has the following natd configuration:
>>>
>>> -redirect_address 21.0.21.3 196.31.7.202
>>>
>>> Also, the new firewall has 196.31.7.202 configured as an inet alias on
>>> the public interface.
>>>
>>> However, when I use ping to test the tunnel from the old firewall, I get
>>> this:
>>>
>>> ping -S 216.123.44.2 216.123.44.3
>>> PING 216.123.44.3 (216.123.44.3) from 216.123.44.2: 56 data bytes
>>> ping: sendto: Permission denied
>>>
>>> I'm pretty sure I need to do something more, configuration-wise, to get
>>> packets to enter and exit the tunnel correctly.
>>
>>I'm not sure what I changed, but the ping test works now. However, I
>>can't connect to port 80 on 216.123.44.3. I set up this IPFW rule to
>>forward 216.123.44.3's traffic into the tunnel
>>
>>fwd 196.31.7.202 ip from any to 216.123.44.3
>>
>>This relies on the following routing entry, which was created
>>automatically when I set up the gif(4) tunnel:
>>
>>216.123.44.3 196.31.7.202 UH 0 21 gif0 =>
>>
>>tcpdump on the gif0 interface doesn't show any traffic on it at all
>>while I try 'telnet 216.123.44.3 80' from a remote host.
>>
>>Help! :-)
>>
>>Ciao,
>>Sheldon.
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-questions" in the body of the message
>>
>>
>
>Best regards,
>Jack L. Stone,
>Server Admin
>
>===================================================
>Sage-American
>http://www.sage-american.com
>jacks@sage-american.com
>
>"My center is giving way, my right is in retreat;
>....situation excellent! ....I shall attack!"
>===================================================
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>
>
Best regards,
Jack L. Stone,
Server Admin
===================================================
Sage-American
http://www.sage-american.com
jacks@sage-american.com
"My center is giving way, my right is in retreat;
....situation excellent! ....I shall attack!"
===================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20020117081101.017908f8>