[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Masquerade and PPP

On Sat, 23 May 1998 12:44:16 +0530, Bruce Jackson wrote:

>You mean to tell me that with a simple firewall I will not be able to
>ping and traceroute.  This does not seem logical to me that a firewall
>should prevent this.

    Why doesn't it seem logical?  Withouth the proper Masquerading modules
installed such things will not work.  That is common knowledge.  I didn't
even read any docs on it and I understand why.  You are familiar with what
IPMasqing does, correct?  Here is a simplified explination.

Machine 1       Machine 2 (gateway)        Some-site
192.168.0.2----->192.168.0.1
                 207.131.56.10------------>blah.foobar.com
                                           

    On the way out, machine 1, which is behind the IPMasqing, sends out some
packet that requires an incoming connection to be formed (FTP, DCC, ICQ
chat/file requests, ping are some common ones).  It's packet hits machine 2,
the gateway, and is changed to come from the gateway's IP, 207.131.56.10. 
That heads out to the machine, blah.foobar.com.  


Some-site            Machine 2 (gateway)        Machine 1
blah.foobar.com----->207.131.56.10              192.168.0.2
                     192.168.0.1

    Now, with any protocol which requires an incoming connection to be
established the outside machine, blah.foobar.com, creates a *NEW* connection
to the address it recieved, 207.131.56.10.  However, since that machine has
no clue what to do with that new connection (remember, there could be
hundreds of machines behind the IPMasqing machine) it does not forward it on.
 It does not know *WHERE* to forward it to.

    The reason IPMasqing works in most cases is because the connection made
from one machine to the next is the same connection data goes over in both
directions.  Since the gateway machine made the connection and data comes
back over that connection it knows where to forward it on to.

    As I said, ping, FTP, ICQ chat/file requests, DCC all require incoming
connections independant of the outboung connection.  Most internet games are
the same way.  You connect the server, the server opens up a UDP port back to
the IP it was given.

    There are modules that can be loaded into IPMasqing, or so I've heard,
that will allow certain protocols to work.  How they work their magic, I
don't know. 

>Anyways, I can`t surf the net, even using ip addresses.

    Make sure your ipfwadm rules are loaded and set correctly.  Here are mine
from my IPMasqing machine:

ipfwadm -F -p deny
ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0

    I copied them almost verbatium out of the IPMasqing HOWTO.


-- 
             Steve C. Lamb             | Opinions expressed by me are not my
    http://www.calweb.com/~morpheus    | employer's.  They hired me for my
             ICQ: 5107343              | skills and labor, not my opinions!
---------------------------------------+-------------------------------------



--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: