From owner-freebsd-questions Tue Feb 1 1: 2:10 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.rdc2.occa.home.com (ha1.rdc2.occa.home.com [24.2.8.66]) by builder.freebsd.org (Postfix) with ESMTP id 089733D7A for ; Tue, 1 Feb 2000 01:02:08 -0800 (PST) Received: from [192.168.1.10] ([24.4.115.31]) by mail.rdc2.occa.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000201090156.REOU29771.mail.rdc2.occa.home.com@[24.4.115.31]> for ; Tue, 1 Feb 2000 01:01:56 -0800 Date: Tue, 1 Feb 2000 04:01:55 -0500 From: Ben WIlliams X-Mailer: The Bat! (v1.34a) UNREG / CD5BF9353B3B7091 Reply-To: Ben WIlliams X-Priority: 3 (Normal) Message-ID: <2168.000201@Home.Com> To: freeBSD questions Subject: ipf, ipnat, private networks and traceroute Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Tuesday, February 01, 2000 I am using a FreeBSD 3.2-RELEASE box as a NAT box to a private 192.168.0.0 network using ipf and ipnat. I finally managed to get the ipf rules to quit blocking all ICMP packets, but ipnat doesn't seem to be properly translating them to the inside boxes (e.g. for a traceroute from the inside) and I'd like some help fixing that up. I miss having a usable traceroute! My ipnat rules (where AAA.BBB.CCC.DDD is my outside (public) IP address and the 192.168.X.X is an inside IP address) are: # IPNAT configuration file # Unfortunately, you cannot use Dialpad.com behind firewall. Our server cannot # penetrate firewall and send you multimedia packets. To use Dialpad.com # service behind firewall, try to open # # UDP ports 51200, 51201, and TCP port 51210. # for the 4.2.40.XX, 4.2.41.XX, 4.2.48.XX, 4.2.64.XX, and 4.2.74.XX subnet. # (nb: this also calls for additional firewall rules) rdr ex0 AAA.BBB.CCC.DDD/32 port 51200 -> 192.168.X.X port 51200 udp rdr ex0 AAA.BBB.CCC.DDD/32 port 51201 -> 192.168.X.X port 51201 udp rdr ex0 AAA.BBB.CCC.DDD/32 port 51210 -> 192.168.X.X port 51210 tcp # Battle.Net rdr ex0 AAA.BBB.CCC.DDD/32 port 6112 -> 192.168.X.X port 6112 udp #Tribes server rdr ex0 AAA.BBB.CCC.DDD/32 port 28001 -> 192.168.X.X port 28001 tcp/udp # high port FTPd on the inside since my ISP scans for servers rdr ex0 AAA.BBB.CCC.DDD/32 port 2001 -> 192.168.X.X port 21 # identd (mirc) for IRC rdr ex0 AAA.BBB.CCC.DDD/32 port 113 -> 192.168.X.X port 113 # Portmapping map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32 portmap tcp/udp 1025:65000 # Whatever can't be portmapped map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32 It has been my understanding from reading the ip-filter web pages (http://coombs.anu.edu.au/ipfilter/) that the last line maps ICMP packets, but they don't ever seem to be getting back to the inside box. Buglet or did I do something wrong? (I did search the archives first ... I -thought- I had seen this discussion before but I couldn't turn anything up.) -- Ben mailto:williamsl@Home.Com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message