On Wed, 21 Aug 1996 [EMAIL PROTECTED] wrote: > Anyone here on the Debian-L know the secrets of using the ipfwadm > utility to set up masquerading? I've built a kernel with the proper > options but I'm concerned about whether I'm really masquerading, or > just forwarding packets. How do I prove it?
[stuff deleted] > So, I ran tcpdump on wb2oyc while doing this. Sure enough, there I see > packets sent from the Web host directly to the address of the laptop (!) > which is assigned the address in the 192.168 reserved space and shouldn't > ever get thru my ISP's router! In other words, I was not masquerading for > its address; I don't think. Bummer! Worse, my ISP is not stopping those > packets. I doubt that is really what is happening. Even if you are sending packets out onto the Internet from the reserved address (i.e. masquerading not working), a site on the Internet would have no way of knowing how to route packets back to the reserved address. My hunch is that masquerading is indeed working for you and that you're just misinterpreting the output from tcpdump. The masquerading is perhaps translating to the reserved address before you are seeing the output from tcpdump so it looks as if it is really routing directly to the reserved address which is impossible. I've seen the behavior you describe though (that it can only access some of the sites that the firewall machine can access directly). Some things that helped fix things for me were: * Turn on "IP: always defragment" in the kernel configuration if you haven't done so. * Make the MTU settings the same on all sections of the link. If you're connected to your ISP via PPP/SLIP, and the laptop is connected via ethernet, set the MTU of the PPP/SLIP link to 1500 because that's what is the default for ethernet. (You may be able to lower the MTU of the ethernet link to what your PPP/SLIP link is too, but I've always done it the other way). Actually, either of the above tips by themselves may fix the problem as I think they are essentially doing the same thing. For what it's worth, this is how I set up masquerading on my machine, but I know there are several ways to do it. The way you are doing it sounds like it is working. /sbin/ipfwadm -F -a masquerade -S 192.168.100.0/24 -D 0.0.0.0/0 Good luck, Gerry [EMAIL PROTECTED]