Re: IP Masquerade and PPP
Steve Lamb wrote:
> On Sat, 23 May 1998 12:44:16 +0530, Bruce Jackson wrote:
> >You mean to tell me that with a simple firewall I will not be able to
> >ping and traceroute. This does not seem logical to me that a firewall
> >should prevent this.
> Why doesn't it seem logical? Withouth the proper Masquerading modules
> installed such things will not work. That is common knowledge. I didn't
> even read any docs on it and I understand why. You are familiar with what
> IPMasqing does, correct? Here is a simplified explination.
> Machine 1 Machine 2 (gateway) Some-site
> On the way out, machine 1, which is behind the IPMasqing, sends out some
> packet that requires an incoming connection to be formed (FTP, DCC, ICQ
> chat/file requests, ping are some common ones). It's packet hits machine 2,
> the gateway, and is changed to come from the gateway's IP, 126.96.36.199.
> That heads out to the machine, blah.foobar.com.
> Some-site Machine 2 (gateway) Machine 1
> blah.foobar.com----->188.8.131.52 192.168.0.2
> Now, with any protocol which requires an incoming connection to be
> established the outside machine, blah.foobar.com, creates a *NEW* connection
> to the address it recieved, 184.108.40.206. However, since that machine has
> no clue what to do with that new connection (remember, there could be
> hundreds of machines behind the IPMasqing machine) it does not forward it on.
> It does not know *WHERE* to forward it to.
> The reason IPMasqing works in most cases is because the connection made
> from one machine to the next is the same connection data goes over in both
> directions. Since the gateway machine made the connection and data comes
> back over that connection it knows where to forward it on to.
> As I said, ping, FTP, ICQ chat/file requests, DCC all require incoming
> connections independant of the outboung connection. Most internet games are
> the same way. You connect the server, the server opens up a UDP port back to
> the IP it was given.
> There are modules that can be loaded into IPMasqing, or so I've heard,
> that will allow certain protocols to work. How they work their magic, I
> don't know.
> >Anyways, I can`t surf the net, even using ip addresses.
> Make sure your ipfwadm rules are loaded and set correctly. Here are mine
> from my IPMasqing machine:
> ipfwadm -F -p deny
> ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
> I copied them almost verbatium out of the IPMasqing HOWTO.
I have used these exact same rules as well as using info I found on the
Internet using Dejanews and I have tried the dotfile maker. All with
now success. If we follow the How-to it says that you should try to
connect to the Internet and browse using the ip address 220.127.116.11.
Can`t seem to find this address. This tells me that the firewall is
blocking everything. I have not seen any modules for ping, or
traceroute. I have seen modules for quake, raudio, etc. Maybe I am
missing something, but basic services like ping and traceroute should
not be denied. These are excellent diagnostic services. Without them,
it becomes difficult to diagnose.
> Steve C. Lamb | Opinions expressed by me are not my
> http://www.calweb.com/~morpheus | employer's. They hired me for my
> ICQ: 5107343 | skills and labor, not my opinions!
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com
Linux: because reboots are for hardware upgrades!!
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com