[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Masquerade and PPP

Steve Lamb wrote:
> On Sat, 23 May 1998 12:44:16 +0530, Bruce Jackson wrote:
> >You mean to tell me that with a simple firewall I will not be able to
> >ping and traceroute.  This does not seem logical to me that a firewall
> >should prevent this.
>     Why doesn't it seem logical?  Withouth the proper Masquerading modules
> installed such things will not work.  That is common knowledge.  I didn't
> even read any docs on it and I understand why.  You are familiar with what
> IPMasqing does, correct?  Here is a simplified explination.
> Machine 1       Machine 2 (gateway)        Some-site
>        >blah.foobar.com
>     On the way out, machine 1, which is behind the IPMasqing, sends out some
> packet that requires an incoming connection to be formed (FTP, DCC, ICQ
> chat/file requests, ping are some common ones).  It's packet hits machine 2,
> the gateway, and is changed to come from the gateway's IP,
> That heads out to the machine, blah.foobar.com.
> Some-site            Machine 2 (gateway)        Machine 1
> blah.foobar.com----->    
>     Now, with any protocol which requires an incoming connection to be
> established the outside machine, blah.foobar.com, creates a *NEW* connection
> to the address it recieved,  However, since that machine has
> no clue what to do with that new connection (remember, there could be
> hundreds of machines behind the IPMasqing machine) it does not forward it on.
>  It does not know *WHERE* to forward it to.
>     The reason IPMasqing works in most cases is because the connection made
> from one machine to the next is the same connection data goes over in both
> directions.  Since the gateway machine made the connection and data comes
> back over that connection it knows where to forward it on to.
>     As I said, ping, FTP, ICQ chat/file requests, DCC all require incoming
> connections independant of the outboung connection.  Most internet games are
> the same way.  You connect the server, the server opens up a UDP port back to
> the IP it was given.
>     There are modules that can be loaded into IPMasqing, or so I've heard,
> that will allow certain protocols to work.  How they work their magic, I
> don't know.
> >Anyways, I can`t surf the net, even using ip addresses.
>     Make sure your ipfwadm rules are loaded and set correctly.  Here are mine
> from my IPMasqing machine:
> ipfwadm -F -p deny
> ipfwadm -F -a m -S -D
>     I copied them almost verbatium out of the IPMasqing HOWTO.

I have used these exact same rules as well as using info I found on the
Internet using Dejanews and I have tried the dotfile maker.  All with
now success.  If we follow the How-to it says that you should try to
connect to the Internet and browse using the ip address 
Can`t seem to find this address.  This tells me that the firewall is
blocking everything.  I have not seen any modules for ping, or
traceroute.  I have seen modules for quake, raudio, etc.  Maybe I am
missing something, but basic services like ping and traceroute should
not be denied.  These are excellent diagnostic services.  Without them,
it becomes difficult to diagnose.
> --
>              Steve C. Lamb             | Opinions expressed by me are not my
>     http://www.calweb.com/~morpheus    | employer's.  They hired me for my
>              ICQ: 5107343              | skills and labor, not my opinions!
> ---------------------------------------+-------------------------------------
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Bruce Jackson

Linux:  because reboots are for hardware upgrades!!

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: