From owner-freebsd-questions  Tue Nov  6  6:59:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from relay3-gui.server.ntli.net (relay3-gui.server.ntli.net [194.168.4.200])
	by hub.freebsd.org (Postfix) with ESMTP id A37D837B416
	for <questions@freebsd.org>; Tue,  6 Nov 2001 06:59:14 -0800 (PST)
Received: from pc3-card3-0-cust122.cdf.cable.ntl.com
	([62.254.251.122] helo=rhadamanth.private.submonkey.net ident=exim)
	by relay3-gui.server.ntli.net with esmtp (Exim 3.03 #2)
	id 1617h2-00057z-00
	for questions@freebsd.org; Tue, 06 Nov 2001 14:59:12 +0000
Received: from setantae by rhadamanth.private.submonkey.net with local (Exim 3.33 #1)
	id 1617gw-0001vN-00
	for questions@FreeBSD.org; Tue, 06 Nov 2001 14:59:06 +0000
Date: Tue, 6 Nov 2001 14:59:06 +0000
From: setantae <setantae@submonkey.net>
To: questions@FreeBSD.org
Subject: natd's punch_fw option not working
Message-ID: <20011106145906.A7334@rhadamanth>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


Now this could be something that I've done/not done, but it could also
be related to the recent changes MFC'd from -current, so I'd like some
input please.

I used to have active and passive FTP working fine through ipfw and
natd with the -punch_fw option, but now neither work.

My entire ruleset is attached, but I don't feel it's to do with that,
since it hasn't changed.
Also, I have made no changes to /etc/rc.firewall.
Connections now get blocked at rule 65007.

Here's the relevant entries from /etc/rc.conf :

	hostname="rhadamanth.private.submonkey.net"
	ifconfig_dc0="inet 192.168.10.1  netmask 255.255.255.0"
	ifconfig_ed0="DHCP"
	##
	## Firewall stuff
	firewall_enable="YES"
	firewall_script="/etc/rc.firewall"
	firewall_type="/etc/ipfw.rules"
	firewall_quiet="NO"
	firewall_logging_enable="YES"
	#extra firewall stuff
	log_in_vain="NO"
	tcp_drop_synfin="YES"	# Change to NO if we run a webserver
	icmp_drop_redirect="YES"	## if we get loads, fix these
	icmp_log_redirect="YES"	## if we get loads, fix these
	##
	## natd stuff
	gateway_enable="YES"
	natd_enable="YES"
	natd_interface="ed0"
	natd_flags="-s -m -u -l -dynamic -punch_fw 2850:48"

The only thing I can see that has changed is that I now have this in the
output of dmesg :

FreeBSD 4.4-STABLE #0: Mon Nov  5 16:36:43 GMT 2001
    setantae@rhadamanth.private.submonkey.net:/usr/obj/usr/src/sys/RHADAMANTH
<snip>
DUMMYNET initialized (011031)
IPFW: MOD_LOAD
IP packet filtering initialized, divert enabled, rule-based forwarding disabled, default to deny, logging limited to 10 packets/entry by default
<snip>

The IPFW: MOD_LOAD line is new, and I haven't done anything to enable it
(at least, I've made no changes to my kernel config, no changes to my
/etc/ipfw.rules and no changes to /etc/rc.conf).

What I have done is a newfs of the partition that /usr/obj lives on followed
by a rebuild of world and the kernel.

I've also attached my kernel config in case it's of use.

Any guidance or ideas would be most welcome.

Thanks,

Ceri

-- 
keep a mild groove on

--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ipfw.rules"


## Deny fragments
add 00105 deny all from any to any frag

#### 	00110 Unprotect the LAN interface
add 00110 allow all from any to any via dc0

####	00200 Stop RFC 1918 traffic
#add 00201 pass udp from 172.16.0.0/12 to any 68 in via ed0
#add 00201 pass udp from 172.17.39.254 to any 68 in via ed0

add 00202 deny log all from any to 10.0.0.0/8
add 00203 deny log all from 10.0.0.0/8 to any

add 00204 deny log all from any to 172.16.0.0/12
add 00205 deny log all from 172.16.0.0/12 to any

#add 00206 deny log all from 192.168.0.0/16 to any in via ed0
#add 00207 deny log all from any to 192.168.0.0/16 in via ed0

add 00206 divert natd all from any to any via ed0

add 00207 pass all from 192.168.10.0/24 to any via ed0
add 00208 pass all from any to 192.168.10.0/24 via ed0
add 00209 deny log all from any to 192.168.0.0/16 via ed0
add 00210 deny log all from 192.168.0.0/16 to any via ed0

####	00400 Check state and allow tcp connections created by us.
add 00400 check-state
add 00401 allow tcp from any to any out keep-state
#add 00402 deny log tcp from any to any in established
add 00403 allow udp from any to any 53 keep-state
add 00404 allow udp from any to any out

##NTP
add 00421 allow udp from 130.88.200.98 123 to any
add 00422 allow udp from 130.88.203.12 123 to any

####    00500 DHCP stuff
add 00501 allow udp from 62.252.32.3 to any 68 in via ed0

####	00600 ICMP stuff
# path-mtu
add 00600 allow icmp from any to any icmptypes 3
# source quench
add 00601 allow icmp from any to any icmptypes 4
#ping
add 00602 allow icmp from any to any icmptypes 8 out
add 00603 allow icmp from any to any icmptypes 0 in
#traceroute
add 00604 allow icmp from any to any icmptypes 11 in

####	00700 Services we want to make available.
add 00701 allow tcp from any to any 22
add 00702 allow tcp from 194.168.4.200 to any 113
#add 00703 allow tcp from any to any 21 out

####	65000 And deny everything else.
add 65007 deny log ip from any to any

--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=RHADAMANTH

#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
#    http://www.FreeBSD.org/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.11 2000/09/22 10:01:48 nyan Exp $

machine		i386
#cpu		I386_CPU
#cpu		I486_CPU
#cpu		I586_CPU
cpu		I686_CPU
options		CPU_ENABLE_SSE
ident		RHADAMANTH
maxusers	128

#makeoptions	DEBUG=-g		#Build kernel with gdb(1) debug symbols

#options 	MATH_EMULATE		#Support for x87 emulation
options 	INET			#InterNETworking
#options 	INET6			#IPv6 communications protocols
#options	IPX			#IPX support
options 	FFS			#Berkeley Fast Filesystem
options 	FFS_ROOT		#FFS usable as root device [keep this!]
options 	SOFTUPDATES		#Enable FFS soft updates support
options 	MFS			#Memory Filesystem
#options 	MD_ROOT			#MD is a potential root device
#options 	NFS			#Network Filesystem
#options 	NFS_ROOT		#NFS usable as root device, NFS required
options 	MSDOSFS			#MSDOS Filesystem
options 	CD9660			#ISO 9660 Filesystem
options 	CD9660_ROOT		#CD-ROM usable as root, CD9660 required
options 	PROCFS			#Process filesystem
options 	COMPAT_43		#Compatible with BSD 4.3 [KEEP THIS!]
options		USER_LDT		# Needed for xmovie port
#options 	SCSI_DELAY=15000	#Delay (in ms) before probing SCSI
options 	UCONSOLE		#Allow users to grab the console
options 	USERCONFIG		#boot -c editor
#options 	VISUAL_USERCONFIG	#visual boot -c editor
options 	KTRACE			#ktrace(1) support
options 	SYSVSHM			#SYSV-style shared memory
options 	SYSVMSG			#SYSV-style message queues
options 	SYSVSEM			#SYSV-style semaphores
options 	P1003_1B		#Posix P1003_1B real-time extensions
options 	_KPOSIX_PRIORITY_SCHEDULING
options		ICMP_BANDLIM		#Rate limit bad replies
options 	KBD_INSTALL_CDEV	# install a CDEV entry in /dev

### FIREWALL STUFF
options 	IPFIREWALL			#firewall
options		IPDIVERT			# need this for natd
options 	IPFIREWALL_VERBOSE		#print information about
						# dropped packets
options 	IPFIREWALL_VERBOSE_LIMIT=10	#limit verbosity
options 	IPSTEALTH			#support for stealth forwarding
options 	TCP_DROP_SYNFIN			#drop TCP packets with SYN+FIN
options		DUMMYNET			# fun to play with
###

# To make an SMP kernel, the next two are needed
options 	SMP			# Symmetric MultiProcessor Kernel
options 	APIC_IO			# Symmetric (APIC) I/O
# Optionally these may need tweaked, (defaults shown):
#options 	NCPU=2			# number of CPUs
#options 	NBUS=4			# number of busses
#options 	NAPIC=1			# number of IO APICs
#options 	NINTR=24		# number of INTs

device		isa
#device		eisa
device		pci

# Floppy drives
device		fdc0	at isa? port IO_FD1 irq 6 drq 2
device		fd0	at fdc0 drive 0
device		fd1	at fdc0 drive 1

# ATA and ATAPI devices
device		ata0	at isa? port IO_WD1 irq 14
device		ata1	at isa? port IO_WD2 irq 15
device		ata
device		atadisk			# ATA disk drives
device		atapicd			# ATAPI CDROM drives
device		atapifd			# ATAPI floppy drives
device		atapist			# ATAPI tape drives
options 	ATA_STATIC_ID		#Static device numbering
#options 	ATA_ENABLE_ATAPI_DMA	#Enable DMA on ATAPI devices

# SCSI Controllers
#device		ahb		# EISA AHA1742 family
#device		ahc		# AHA2940 and onboard AIC7xxx devices
#device		amd		# AMD 53C974 (Teckram DC-390(T))
#device		isp		# Qlogic family
#device		ncr		# NCR/Symbios Logic
#device		sym		# NCR/Symbios Logic (newer chipsets)
#options		SYM_SETUP_LP_PROBE_MAP=0x40
				# Allow ncr to attach legacy NCR devices when 
				# both sym and ncr are configured

#device		adv0	at isa?
#device		adw
#device		bt0	at isa?
#device		aha0	at isa?
#device		aic0	at isa?

# SCSI peripherals
#device		scbus		# SCSI bus (required)
#device		da		# Direct Access (disks)
#device		sa		# Sequential Access (tape etc)
#device		cd		# CD
#device		pass		# Passthrough device (direct SCSI access)

# RAID controllers interfaced to the SCSI subsystem
#device		asr		# DPT SmartRAID V, VI and Adaptec SCSI RAID
#device		dpt		# DPT Smartcache - See LINT for options!

# RAID controllers
#device		ida		# Compaq Smart RAID
#device		amr		# AMI MegaRAID
#device		mlx		# Mylex DAC960 family
#device		twe		# 3ware Escalade

# atkbdc0 controls both the keyboard and the PS/2 mouse
device		atkbdc0	at isa? port IO_KBD
device		atkbd0	at atkbdc? irq 1 flags 0x1
device		psm0	at atkbdc? irq 12

device		vga0	at isa?

# splash screen/screen saver
pseudo-device	splash

# syscons is the default console driver, resembling an SCO console
device		sc0	at isa? flags 0x100
options 	SC_DISABLE_REBOOT	# disable reboot key sequence
options 	SC_HISTORY_SIZE=400	# number of history buffer lines
# The following options will let you change the default colors of syscons.
options 	SC_NORM_ATTR="(FG_GREEN|BG_BLACK)"
options 	SC_NORM_REV_ATTR="(FG_YELLOW|BG_GREEN)"
options 	SC_KERNEL_CONS_ATTR="(FG_RED|BG_BLACK)"
options 	SC_KERNEL_CONS_REV_ATTR="(FG_BLACK|BG_RED)"

# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device		vt0	at isa?
#options 	XSERVER			# support for X server on a vt console
#options 	FAT_CURSOR		# start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options 	PCVT_SCANSET=2		# IBM keyboards are non-std

# Floating point support - do not disable.
device		npx0	at nexus? port IO_NPX irq 13

# Power management support (see LINT for more options)
#device		apm0    at nexus? disable flags 0x20 # Advanced Power Management

# PCCARD (PCMCIA) support
#device		card
#device		pcic0	at isa? irq 10 port 0x3e0 iomem 0xd0000
#device		pcic1	at isa? irq 11 port 0x3e2 iomem 0xd4000 disable

# Serial (COM) ports
device		sio0	at isa? port IO_COM1 flags 0x10 irq 4
device		sio1	at isa? port IO_COM2 irq 3
device		sio2	at isa? disable port IO_COM3 irq 5
device		sio3	at isa? disable port IO_COM4 irq 9

# Parallel port
device		ppc0	at isa? irq 7
device		ppbus		# Parallel port bus (required)
device		lpt		# Printer
device		plip		# TCP/IP over parallel
device		ppi		# Parallel port interface device
#device		vpo		# Requires scbus and da

# PCI Ethernet NICs.
#device		de		# DEC/Intel DC21x4x (``Tulip'')
#device		fxp		# Intel EtherExpress PRO/100B (82557, 82558)
#device		tx		# SMC 9432TX (83c170 ``EPIC'')
#device		vx		# 3Com 3c590, 3c595 (``Vortex'')
#device		wx		# Intel Gigabit Ethernet Card (``Wiseman'')

# PCI Ethernet NICs that use the common MII bus controller code.
#device		dc		# DEC/Intel 21143 and various workalikes
#device		rl		# RealTek 8129/8139
#device		sf		# Adaptec AIC-6915 (``Starfire'')
#device		sis		# Silicon Integrated Systems SiS 900/SiS 7016
#device		ste		# Sundance ST201 (D-Link DFE-550TX)
#device		tl		# Texas Instruments ThunderLAN
#device		vr		# VIA Rhine, Rhine II
#device		wb		# Winbond W89C840F
#device		xl		# 3Com 3c90x (``Boomerang'', ``Cyclone'')

# ISA Ethernet NICs.
device		ed0	at isa? port 0x280 irq 10 iomem 0xd8000
				# MII required for the ed driver since 20010725
device		miibus		# MII bus support
device		dc		# DEC/Intel 21143 and various workalikes
#device		ep
#device		ex
#device		fe0	at isa? port 0x300
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attatement needed
# and resources will always be dynamically assigned by the pccard code.
#device		wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those paremeters here.
#device		an
# Xircom Ethernet
#device		xe
# The probe order of these is presently determined by i386/isa/isa_compat.c.
#device		ie0	at isa? port 0x300 irq 10 iomem 0xd0000
#device		le0	at isa? port 0x300 irq 5 iomem 0xd0000
#device		lnc0	at isa? port 0x280 irq 10 drq 0
#device		cs0	at isa? port 0x300
#device		sn0	at isa? port 0x300 irq 10

# Pseudo devices - the number indicates how many units to allocated.
pseudo-device	loop		# Network loopback
pseudo-device	ether		# Ethernet support
pseudo-device	sl	1	# Kernel SLIP
pseudo-device	ppp	1	# Kernel PPP
pseudo-device	tun		# Packet tunnel.
pseudo-device	pty		# Pseudo-ttys (telnet etc)
#pseudo-device	md		# Memory "disks"
#pseudo-device	gif	4	# IPv6 and IPv4 tunneling
#pseudo-device	faith	1	# IPv6-to-IPv4 relaying (translation)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device	bpf		#Berkeley packet filter

# USB support
#device		uhci		# UHCI PCI->USB interface
#device		ohci		# OHCI PCI->USB interface
#device		usb		# USB Bus (required)
#device		ugen		# Generic
#device		uhid		# "Human Interface Devices"
#device		ukbd		# Keyboard
#device		ulpt		# Printer
#device		umass		# Disks/Mass storage - Requires scbus and da
#device		ums		# Mouse
## USB Ethernet, requires mii
#device		aue		# ADMtek USB ethernet
#device		cue		# CATC USB ethernet
#device		kue		# Kawasaki LSI USB ethernet

# sound
device pcm

# Set the amount of time (in seconds) the system will wait before
# rebooting automatically when a kernel panic occurs.  If set to (-1),
# the system will wait indefinitely until a key is pressed on the
# console.
options 	PANIC_REBOOT_WAIT_TIME=120

# This allows you to actually store this configuration file into
# the kernel binary itself, where it may be later read by saying:
#    strings -n 3 /kernel | sed -n 's/^___//p' > MYKERNEL
#
options         INCLUDE_CONFIG_FILE     # Include this file in kernel


--HcAYCG3uE/tztfnV--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message