From owner-freebsd-net Fri Jan 21 11:51:45 2000 Delivered-To: freebsd-net@freebsd.org Received: from awfulhak.org (dynamic-33.max4-du-ws.dialnetwork.pavilion.co.uk [212.74.9.161]) by hub.freebsd.org (Postfix) with ESMTP id 6E42C154F4 for ; Fri, 21 Jan 2000 11:51:26 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id TAA14103; Fri, 21 Jan 2000 19:50:59 GMT (envelope-from brian@lan.awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id IAA00343; Fri, 21 Jan 2000 08:25:14 GMT (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200001210825.IAA00343@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.0 09/18/1999 To: Richard Martin Cc: freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: natd: no translation In-Reply-To: Message from Richard Martin of "Thu, 20 Jan 2000 19:52:54 CST." <3887BBF6.A35EA933@origenbio.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 21 Jan 2000 08:25:14 +0000 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I am setting up a firewall with natd on my FreeBSD system, and for some reason > it does not seem to be translating the local LAN addresses in outbound > packets. > > FreeBSD router w/ two NIC cards: > Internet card xl0 - 216.30.xx > Local network vx0 - 192.168.0.x > > natd is running on xl0 > > I can generally access the outside world OK from the LAN, but certain services > (DNS and PCanywhere requests, among others) receive packets back addressed to > the LAN. These hit one of the first rules on the firewall, deny any destined > for 192.168 networks. > > I have tried running natd with the -n flag and the -a [ip address] flag but > still get packets back on the external iface addressed to the 192.168 > addresses. > > Anyone run into this before? Bear in mind that the divert rule results in the packets being translated to use local addresses for inbound and real addresses for outbound. You probably want a set of ipfw rules that go along the lines ipfw local blah out ipfw dodge spoofs in ipfw remote blah in ipfw divert ipfw local blah in ipfw remote blah out Where ``local blah'' deals with specifics about local network addresses and ``remote blah'' deals with specifics about external addresses. ``dodge spoofs'' deals with external traffic trying to spoof internal IP numbers. I don't use natd or ipfw at the moment > -- > Richard Martin dmartin@origen.com > > OriGen Biomedical Tel: +1 512 474 7278 > 2525 Hartford Rd. Fax: +1 512 708 8522 > Austin, TX 78703 http://www.cardiacdocs.com -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message