Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"
From: Rocco Caputo (rcaputo_at_pobox.com)
Date: 08/05/03
- Previous message: Petri Helenius: "Re: bpf, ipfw and before-and-after"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 5 Aug 2003 16:33:10 -0400 To: freebsd-net@freebsd.org
On Thu, Jul 31, 2003 at 09:54:50PM +0200, jeremie le-hen wrote:
> Your problem looks very strange. I didn't succeed in reproducing the same
> behaviour on my personal gateway.
>
> But I noticed that, although you use ipnat(8), nat is also enabled in your
> ppp(8) configuration, this *may* explains some of your problems, such as
> seeing double packets. Try to remove all "nat*" lines.
Thanks for looking at the problem and for the advice.
After much more reading, especially on the way packets flow through the
various firewalls and NAT systems FreeBSD provides, I sat down and
really thought things through.
I couldn't wrap my head around the flow when NAT was used in the
firewalls, so I dropped back and enabled in in ppp(8). This bugs me
slightly because my local network lives in the 10/8 address space, and I
must let 10/8 packets through tun0. Oh well. At least I can do it
statefully.
I moved the firewall rules from ipf(8) to ipfw(8). I disabled ipnat
since ppp(8) takes care of it now.
Combining stateful rules and dummynet in ipfw(8) was interesting. The
trick I settled on was to use stateful skipto rules that pass "good"
packets to one-pass dummynet rules. Everything else is denied by
default.
This cleared up the ping problems, and it cleared up the problems with
NATted machines connecting to the outside world. It doesn't fix active
FTP, but I've given up on that. Passive seems to work well enough.
Thanks again.
-- Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/ _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Petri Helenius: "Re: bpf, ipfw and before-and-after"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
