Steve Lamb wrote: > > On Sat, 23 May 1998 12:44:16 +0530, Bruce Jackson wrote: > > >You mean to tell me that with a simple firewall I will not be able to > >ping and traceroute. This does not seem logical to me that a firewall > >should prevent this. > > Why doesn't it seem logical? Withouth the proper Masquerading modules > installed such things will not work. That is common knowledge. I didn't > even read any docs on it and I understand why. You are familiar with what > IPMasqing does, correct? Here is a simplified explination. > > Machine 1 Machine 2 (gateway) Some-site > 192.168.0.2----->192.168.0.1 > 207.131.56.10------------>blah.foobar.com > > > On the way out, machine 1, which is behind the IPMasqing, sends out some > packet that requires an incoming connection to be formed (FTP, DCC, ICQ > chat/file requests, ping are some common ones). It's packet hits machine 2, > the gateway, and is changed to come from the gateway's IP, 207.131.56.10. > That heads out to the machine, blah.foobar.com. > > Some-site Machine 2 (gateway) Machine 1 > blah.foobar.com----->207.131.56.10 192.168.0.2 > 192.168.0.1 > > Now, with any protocol which requires an incoming connection to be > established the outside machine, blah.foobar.com, creates a *NEW* connection > to the address it recieved, 207.131.56.10. However, since that machine has > no clue what to do with that new connection (remember, there could be > hundreds of machines behind the IPMasqing machine) it does not forward it on. > It does not know *WHERE* to forward it to. > > The reason IPMasqing works in most cases is because the connection made > from one machine to the next is the same connection data goes over in both > directions. Since the gateway machine made the connection and data comes > back over that connection it knows where to forward it on to. > > As I said, ping, FTP, ICQ chat/file requests, DCC all require incoming > connections independant of the outboung connection. Most internet games are > the same way. You connect the server, the server opens up a UDP port back to > the IP it was given. > > There are modules that can be loaded into IPMasqing, or so I've heard, > that will allow certain protocols to work. How they work their magic, I > don't know. > > >Anyways, I can`t surf the net, even using ip addresses. > > Make sure your ipfwadm rules are loaded and set correctly. Here are mine > from my IPMasqing machine: > > ipfwadm -F -p deny > ipfwadm -F -a m -S 192.168.0.0/24 -D 0.0.0.0/0 > > I copied them almost verbatium out of the IPMasqing HOWTO.
I have used these exact same rules as well as using info I found on the Internet using Dejanews and I have tried the dotfile maker. All with now success. If we follow the How-to it says that you should try to connect to the Internet and browse using the ip address 152.2.254.81. Can`t seem to find this address. This tells me that the firewall is blocking everything. I have not seen any modules for ping, or traceroute. I have seen modules for quake, raudio, etc. Maybe I am missing something, but basic services like ping and traceroute should not be denied. These are excellent diagnostic services. Without them, it becomes difficult to diagnose. > > -- > Steve C. Lamb | Opinions expressed by me are not my > http://www.calweb.com/~morpheus | employer's. They hired me for my > ICQ: 5107343 | skills and labor, not my opinions! > ---------------------------------------+------------------------------------- > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- Bruce Jackson Linux: because reboots are for hardware upgrades!! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
