Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Feb 2000 04:01:55 -0500
From:      Ben WIlliams <williamsl@Home.Com>
To:        freeBSD questions <freebsd-questions@freebsd.org>
Subject:   ipf, ipnat, private networks and traceroute
Message-ID:  <2168.000201@Home.Com>
next in thread | raw e-mail | index | archive | help 
                                               Tuesday, February 01, 2000
   I am using a FreeBSD 3.2-RELEASE box as a NAT box to a private 192.168.0.0
network using ipf and ipnat. I finally managed to get the ipf rules to quit
blocking all ICMP packets, but ipnat doesn't seem to be properly translating
them to the inside boxes (e.g. for a traceroute from the inside) and I'd like
some help fixing that up. I miss having a usable traceroute! My ipnat rules
(where AAA.BBB.CCC.DDD is my outside (public) IP address and the 192.168.X.X
is an inside IP address) are:

# IPNAT configuration file

# Unfortunately, you cannot use Dialpad.com behind firewall. Our server cannot
# penetrate firewall and send you multimedia packets.  To use Dialpad.com
# service behind firewall, try to open
#
#          UDP ports 51200, 51201, and TCP port 51210.
# for the 4.2.40.XX, 4.2.41.XX, 4.2.48.XX, 4.2.64.XX, and 4.2.74.XX subnet.
# (nb: this also calls for additional firewall rules)
rdr ex0 AAA.BBB.CCC.DDD/32 port 51200 -> 192.168.X.X port 51200 udp
rdr ex0 AAA.BBB.CCC.DDD/32 port 51201 -> 192.168.X.X port 51201 udp
rdr ex0 AAA.BBB.CCC.DDD/32 port 51210 -> 192.168.X.X port 51210 tcp

# Battle.Net
rdr ex0 AAA.BBB.CCC.DDD/32 port 6112 -> 192.168.X.X port 6112 udp

#Tribes server
rdr ex0 AAA.BBB.CCC.DDD/32 port 28001 -> 192.168.X.X port 28001 tcp/udp

# high port FTPd on the inside since my ISP scans for servers
rdr ex0 AAA.BBB.CCC.DDD/32 port 2001 -> 192.168.X.X port 21

# identd (mirc) for IRC
rdr ex0 AAA.BBB.CCC.DDD/32 port 113 -> 192.168.X.X port 113

# Portmapping
map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32 portmap tcp/udp 1025:65000

# Whatever can't be portmapped
map ex0 192.168.1.0/24 -> AAA.BBB.CCC.DDD/32

   It has been my understanding from reading the ip-filter web pages
(http://coombs.anu.edu.au/ipfilter/) that the last line maps ICMP packets,
but they don't ever seem to be getting back to the inside box. Buglet or did
I do something wrong? (I did search the archives first ... I -thought- I had
seen this discussion before but I couldn't turn anything up.)

--
 Ben                                      mailto:williamsl@Home.Com




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2168.000201>