Hi,
Doesn't sound good that IP header with private IP address
gets sent to internet. - after all, the 195.168.3.210 host on internet knows
nothing about 10.10.1.2...
Ari S.
----- Original Message -----
From: "Bohuslav Plucinsky" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Friday, July 13, 2001 1:02 PM
Subject: Re: natd and ICMP 3.4 packets
> Hi Ruslan,
>
> thanks for your response, but I must dispute.
> If 'ip_src' is not aliased, the ICMP packet never reaches the destination
> because the private addresses are mostly filtered. Are you sure it was the
aim?
>
> Regards,
>
> Bohus
>
>
>
>
> On Thu, Jul 12, 2001 at 12:41:52PM +0300, Ruslan Ermilov wrote:
> > On Tue, Jul 10, 2001 at 11:09:34AM +0200, Bohuslav Plucinsky wrote:
> > > Hi there,
> > >
> > > I have strange problem with natd and ICMP 3.4 (destination
unreachable/
> > > fragmentation needed) packets.
> > >
> > > Situation:
> > >
> > > - we have FreeBSD 4.2-20001228-STABLE box with ipfw and natd
configured
> > > xl0 interface have public address 195.168.x.x
> > > xl1 interface is connected to our intranet with private addr
10.10.1.1
> > > ipfw show:
> > > 00100 0 0 allow ip from any to any via lo0
> > > ...
> > > 09200 0 0 divert 8668 ip from any to any via xl0
> > > 09300 0 0 allow ip from any to any
> > >
> > > natd is running with arguments: natd -n xl0
> > >
> > > - behind freebsd box is cisco router with GRE tunnel
> > >
> > >
> > > 195.168.x.x
> > > xl0 --------- xl1 10.10.1.0/24 (MTU
1500)
> > > -------| FreeBSD
|------------------------------------------------------....
> > > --------- |
> > > ipfw +NAT |
> > > |
> > > | 10.10.1.2
> > > ----------
> > > | CISCO 1 |
> > > ----------
> > > ||
> > > ||
> > > || GRE tunnel (MTU 1476)
> > > ||
> > > ||
> > > ||
> > > ----------
> > > | CISCO 2 |
> > > ----------
> > > |
10.10.20.0/24 ----
> > > ---------------------------------| PC
|
> >
----
> > >
10.10.20.2
> > >
> > > Problem:
> > >
> > > If cisco router CISCO 1 sends ICMP 3.4 packet to any server on
Internet,
> > > natd on FreeBSD box aliases data inside ICMP packet, but not IP
headers
> > > There is tcpdump on xl1 interface:
> > >
> > > 11:56:54.376974 10.10.1.2 > 195.168.3.210: icmp: 10.10.20.2
unreachable - need to frag (mtu 1476)
> > >
> > > and on xl0 interface:
> > >
> > > 11:56:55.216974 10.10.1.2 > 195.168.3.210: icmp: 195.168.x.x
unreachable - need to frag (mtu 1476)
> > > ^^^^^^^^^ ^^^^^^^^^^^
> > > Is this bug in natd or make I some mistake in configuration?
> > >
> > This is intentional.
> >
> > : RCS file: /home/ncvs/src/lib/libalias/alias.c,v
> > : Working file: alias.c
> > : head: 1.29
> > : branch:
> > : locks: strict
> > : access list:
> > : keyword substitution: kv
> > : total revisions: 41; selected revisions: 1
> > : description:
> > : ----------------------------
> > : revision 1.23
> > : date: 2000/09/01 09:32:44; author: ru; state: Exp; lines: +23 -13
> > : Changed the way we handle outgoing ICMP error messages -- do
> > : not alias `ip_src' unless it comes from the host an original
> > : datagram that triggered this error message was destined for.
> > :
> > : PR: 20712
> > : Reviewed by: brian, Charles Mott <[EMAIL PROTECTED]>
> > :
============================================================================
=
> >
> > I.e., the original IP datagram that caused this ICMP error message
> > was not destined for CISCO 1. (The original datagram's header should
> > be visible with tcpdump -vv).
> >
> > Please see PR 20712 for details.
> >
> >
> > Cheers,
> > --
> > Ruslan Ermilov Oracle Developer/DBA,
> > [EMAIL PROTECTED] Sunbay Software AG,
> > [EMAIL PROTECTED] FreeBSD committer,
> > +380.652.512.251 Simferopol, Ukraine
> >
> > http://www.FreeBSD.org The Power To Serve
> > http://www.oracle.com Enabling The Information Age
> >
>
> --
>
> ======================================================================
> Bohus PLUCINSKY e-mail: [EMAIL PROTECTED]
> Network Engineer
>
> N E X T R A
> Plynarenska 1 tel: +421 7 58 228 111
> 824 71 Bratislava 26 fax: +421 7 58 228 222
> S L O V A K I A http://www.nextra.sk
> =======================================================================
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
