Re: IP Masquerade and PPP
Steve Lamb wrote:
>
> On Sat, 23 May 1998 12:44:16 +0530, Bruce Jackson wrote:
>
> >You mean to tell me that with a simple firewall I will not be able to
> >ping and traceroute. This does not seem logical to me that a firewall
> >should prevent this.
>
> Why doesn't it seem logical? Withouth the proper Masquerading modules
> installed such things will not work. That is common knowledge. I didn't
> even read any docs on it and I understand why. You are familiar with what
> IPMasqing does, correct? Here is a simplified explination.
>
> Machine 1 Machine 2 (gateway) Some-site
> 192.168.0.2----->192.168.0.1
> 207.131.56.10------------>blah.foobar.com
>
>
> On the way out, machine 1, which is behind the IPMasqing, sends out some
> packet that requires an incoming connection to be formed (FTP, DCC, ICQ
> chat/file requests, ping are some common ones). It's packet hits machine 2,
> the gateway, and is changed to come from the gateway's IP, 207.131.56.10.
> That heads out to the machine, blah.foobar.com.
>
> Some-site Machine 2 (gateway) Machine 1
> blah.foobar.com----->207.131.56.10 192.168.0.2
> 192.168.0.1
>
> Now, with any protocol which requires an incoming connection to be
> established the outside machine, blah.foobar.com, creates a *NEW* connection
> to the address it recieved, 207.131.56.10. However, since that machine has
> no clue what to do with that new connection (remember, there could be
> hundreds of machines behind the IPMasqing machine) it does not forward it on.
> It does not know *WHERE* to forward it to.
>
> The reason IPMasqing works in most cases is because the connection made
> from one machine to the next is the same connection data goes over in both
> directions. Since the gateway machine made the connection and data comes
> back over that connection it knows where to forward it on to.
>
> As I said, ping, FTP, ICQ chat/file requests, DCC all require incoming
> connections independant of the outboung connection. Most internet games are
> the same way. You connect the server, the server opens up a UDP port back to
> the IP it was given.
>
> There are modules that can be loaded into IPMasqing, or so I've heard,
> that will allow certain protocols to work. How they work their magic, I
> don't know.
>
> >Anyways, I can`t surf the net, even using ip addresses.
>
> Make sure your ipfwadm rules are loaded and set correctly. Here are mine
> from my IPMasqing machine:
>
> ipfwadm -F -p deny
> ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0
>
> I copied them almost verbatium out of the IPMasqing HOWTO.
I have used these exact same rules as well as using info I found on the
Internet using Dejanews and I have tried the dotfile maker. All with
now success. If we follow the How-to it says that you should try to
connect to the Internet and browse using the ip address 152.2.254.81.
Can`t seem to find this address. This tells me that the firewall is
blocking everything. I have not seen any modules for ping, or
traceroute. I have seen modules for quake, raudio, etc. Maybe I am
missing something, but basic services like ping and traceroute should
not be denied. These are excellent diagnostic services. Without them,
it becomes difficult to diagnose.
>
> --
> Steve C. Lamb | Opinions expressed by me are not my
> http://www.calweb.com/~morpheus | employer's. They hired me for my
> ICQ: 5107343 | skills and labor, not my opinions!
> ---------------------------------------+-------------------------------------
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
Bruce Jackson
Linux: because reboots are for hardware upgrades!!
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: