From owner-freebsd-pf@FreeBSD.ORG Wed Jul 27 05:13:21 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76A8B16A41F for ; Wed, 27 Jul 2005 05:13:21 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: from web32409.mail.mud.yahoo.com (web32409.mail.mud.yahoo.com [68.142.207.202]) by mx1.FreeBSD.org (Postfix) with SMTP id ECAE043D46 for ; Wed, 27 Jul 2005 05:13:20 +0000 (GMT) (envelope-from d_a_d_a_sh@yahoo.com) Received: (qmail 58850 invoked by uid 60001); 27 Jul 2005 05:13:20 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Sy8+tqLSIXBzbvn64cUW3OSDet2hEQLkqPCNHBxMH4GBrBfyhVDHGSnhwNCxnhx5vQGvkf8bGMffziGDAheyHilRPdIHc/dYIHyrTq7/NqrMq2V+3DG3yzEqo+kW40rcc8CcOr+Fx1wPqKCgCa6U/2oIdhRcHf9nyGbqAK7FRdI= ; Message-ID: <20050727051320.58848.qmail@web32409.mail.mud.yahoo.com> Received: from [217.218.230.2] by web32409.mail.mud.yahoo.com via HTTP; Tue, 26 Jul 2005 22:13:20 PDT Date: Tue, 26 Jul 2005 22:13:20 -0700 (PDT) From: Pejman Moghadam To: Cristiano Deana In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: pf@benzedrine.cx, freebsd-pf@freebsd.org Subject: Re: pinging same host on the internet from two different LAN stations X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2005 05:13:21 -0000 Cristiano Deana wrote : > Paste your pf.conf, it probaly contains errors. > tcpdump -i $external_interface icmp. This is my pf.conf extif="{ ed0 }" extip="{ (ed0) }" table { 192.168.1.0/24 } nat on $extif from to any -> $extip pass all on my clients windows: on 192.168.1.18 : C:\>echo %os% Windows_NT C:\>ping 192.9.9.3 Pinging 192.9.9.3 with 32 bytes of data: Reply from 192.9.9.3: bytes=32 time=541ms TTL=228 Reply from 192.9.9.3: bytes=32 time=540ms TTL=228 Reply from 192.9.9.3: bytes=32 time=531ms TTL=228 Reply from 192.9.9.3: bytes=32 time=671ms TTL=228 Ping statistics for 192.9.9.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 531ms, Maximum = 671ms, Average = 570ms on 192.168.1.19 : C:\>echo %os% Windows_NT C:\>ping 192.9.9.3 Pinging 192.9.9.3 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.9.9.3: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms on FreeBSD box that do NAT with PF: # pfctl -ss self icmp 192.168.1.18:512 -> 1.2.3.4:512 -> 192.9.9.3:512 0:0 # tcpdump -c 10 -i $external_interface -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ed0, link-type EN10MB (Ethernet), capture size 96 bytes 10:02:42.839665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6419 10:02:42.909906 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 275 10:02:43.248794 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 275 10:02:43.841123 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6675 10:02:43.921558 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 531 10:02:44.263806 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 531 10:02:44.842665 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 6931 10:02:44.923035 IP 1.2.3.4 > 192.9.9.3: icmp 40: echo request seq 787 10:02:45.262390 IP 192.9.9.3 > 1.2.3.4: icmp 40: echo reply seq 787 10:02:45.844227 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 7187 10 packets captured 12 packets received by filter 0 packets dropped by kernel # tcpdump -c 10 -i $internal_interface -nq icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on dc0, link-type EN10MB (Ethernet), capture size 96 bytes 10:00:51.538006 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37394 10:00:51.671439 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43538 10:00:52.199114 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37650 10:00:52.538007 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37650 10:00:52.672876 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 43794 10:00:53.210683 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 37906 10:00:53.554918 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 37906 10:00:53.674441 IP 192.168.1.19 > 192.9.9.3: icmp 40: echo request seq 44050 10:00:54.212218 IP 192.168.1.18 > 192.9.9.3: icmp 40: echo request seq 38162 10:00:54.551131 IP 192.9.9.3 > 192.168.1.18: icmp 40: echo reply seq 38162 10 packets captured 26 packets received by filter 0 packets dropped by kernel --- Cristiano Deana wrote: > 2005/7/26, Pejman Moghadam : > > > Is there any way or any tool that ICMP portmapping allows simultaneous connections to external > > targets from multiple machines from the LAN? > > This the standard in a normal pf configuration with nat. > Paste your pf.conf, it probaly contains errors. > > btw: > in your firewall: > tcpdump -i $external_interface icmp. > > what does it says? > > -- > Cris, member of G.U.F.I > Italian FreeBSD User Group > http://www.gufi.org/ > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs