Hi Ruslan,
thanks for your response, but I must dispute.
If 'ip_src' is not aliased, the ICMP packet never reaches the destination
because the private addresses are mostly filtered. Are you sure it was the aim?
Regards,
Bohus
On Thu, Jul 12, 2001 at 12:41:52PM +0300, Ruslan Ermilov wrote:
> On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote:
> > Hi there,
> >
> > I have strange problem with natd and ICMP 3.4 (destination unreachable/
> > fragmentation needed) packets.
> >
> > Situation:
> >
> > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd configured
> > xl0 interface have public address 195.168.x.x
> > xl1 interface is connected to our intranet with private addr 10.10.1.1
> > ipfw show:
> > 00100 0 0 allow ip from any to any via lo0
> > ...
> > 09200 0 0 divert 8668 ip from any to any via xl0
> > 09300 0 0 allow ip from any to any
> >
> > natd is running with arguments: natd -n xl0
> >
> > - behind freebsd box is cisco router with GRE tunnel
> >
> >
> > 195.168.x.x
> > xl0 --------- xl1 10.10.1.0/24 (MTU 1500)
> > -------| FreeBSD |------------------------------------------------------....
> > --------- |
> > ipfw +NAT |
> > |
> > | 10.10.1.2
> > ----------
> > | CISCO 1 |
> > ----------
> > ||
> > ||
> > || GRE tunnel (MTU 1476)
> > ||
> > ||
> > ||
> > ----------
> > | CISCO 2 |
> > ----------
> > | 10.10.20.0/24 ----
> > ---------------------------------| PC |
> > ----
> > 10.10.20.2
> >
> > Problem:
> >
> > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on Internet,
> > natd on FreeBSD box aliases data inside ICMP packet, but not IP headers
> > There is tcpdump on xl1 interface:
> >
> > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2 unreachable - need to
>frag (mtu 1476)
> >
> > and on xl0 interface:
> >
> > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x unreachable - need to
>frag (mtu 1476)
> > ^^^^^^^^^ ^^^^^^^^^^^
> > Is this bug in natd or make I some mistake in configuration?
> >
> This is intentional.
>
> : RCS file: /home/ncvs/src/lib/libalias/alias.c,v
> : Working file: alias.c
> : head: 1.29
> : branch:
> : locks: strict
> : access list:
> : keyword substitution: kv
> : total revisions: 41; selected revisions: 1
> : description:
> : ----------------------------
> : revision 1.23
> : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13
> : Changed the way we handle outgoing ICMP error messages -- do
> : not alias `ip_src' unless it comes from the host an original
> : datagram that triggered this error message was destined for.
> :
> : PR: 20712
> : Reviewed by: brian, Charles Mott <[EMAIL PROTECTED]>
> : =============================================================================
>
> I.e., the original IP datagram that caused this ICMP error message
> was not destined for CISCO 1. (The original datagram's header should
> be visible with tcpdump -vv).
>
> Please see PR 20712 for details.
>
>
> Cheers,
> --
> Ruslan Ermilov Oracle Developer/DBA,
> [EMAIL PROTECTED] Sunbay Software AG,
> [EMAIL PROTECTED] FreeBSD committer,
> +380.652.512.251 Simferopol, Ukraine
>
> http://www.FreeBSD.org The Power To Serve
> http://www.oracle.com Enabling The Information Age
>
--
======================================================================
Bohus PLUCINSKY e-mail: [EMAIL PROTECTED]
Network Engineer
N E X T R A
Plynarenska 1 tel: +421 7 58 228 111
824 71 Bratislava 26 fax: +421 7 58 228 222
S L O V A K I A http://www.nextra.sk
=======================================================================
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
