Re: ipfwadm?

To: wb2oyc@cyberenet.net
Cc: debian-user@lists.debian.org
Subject: Re: ipfwadm?
From: Gerry Jensen <gerry@blue.optimed.com>
Date: Thu, 22 Aug 1996 12:22:25 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.3.94.960822114324.5132A-100000@blue.optimed.com>
In-reply-to: <[🔎] XFMail.960821201710.wb2oyc@cyberenet.net>

On Wed, 21 Aug 1996 wb2oyc@cyberenet.net wrote:

> Anyone here on the Debian-L know the secrets of using the ipfwadm
> utility to set up masquerading?  I've built a kernel with the proper
> options but I'm concerned about whether I'm really masquerading, or
> just forwarding packets.  How do I prove it?

[stuff deleted]

> So, I ran tcpdump on wb2oyc while doing this.  Sure enough, there I see
> packets sent from the Web host directly to the address of the laptop (!)
> which is assigned the address in the 192.168 reserved space and shouldn't
> ever get thru my ISP's router!  In other words, I was not masquerading for
> its address; I don't think.  Bummer!  Worse, my ISP is not stopping those
> packets.

I doubt that is really what is happening.  Even if you are sending packets
out onto the Internet from the reserved address (i.e. masquerading not
working), a site on the Internet would have no way of knowing how to route
packets back to the reserved address.  My hunch is that masquerading is
indeed working for you and that you're just misinterpreting the output
from tcpdump. The masquerading is perhaps translating to the reserved
address before you are seeing the output from tcpdump so it looks as if it
is really routing directly to the reserved address which is impossible. 

I've seen the behavior you describe though (that it can only access some
of the sites that the firewall machine can access directly).  Some things
that helped fix things for me were:

* Turn on "IP: always defragment" in the kernel configuration if you
  haven't done so.  
* Make the MTU settings the same on all sections of the link.  If you're
  connected to your ISP via PPP/SLIP, and the laptop is connected via
  ethernet, set the MTU of the PPP/SLIP link to 1500 because that's what
  is the default for ethernet.  (You may be able to lower the MTU of the
  ethernet link to what your PPP/SLIP link is too, but I've always done
  it the other way).

Actually, either of the above tips by themselves may fix the problem as I
think they are essentially doing the same thing.

For what it's worth, this is how I set up masquerading on my machine, but
I know there are several ways to do it.  The way you are doing it sounds
like it is working.

  /sbin/ipfwadm -F -a masquerade -S 192.168.100.0/24 -D 0.0.0.0/0

Good luck,

Gerry
gerry@optimed.com

Reply to:

Follow-Ups:
- Re: ipfwadm?
  - From: wb2oyc@cyberenet.net

References:
- ipfwadm?
  - From: wb2oyc@cyberenet.net

Prev by Date: Digested version of this list?
Next by Date: bleh...
Previous by thread: Re: ipfwadm?
Next by thread: Re: ipfwadm?
Index(es):
- Date
- Thread