From owner-freebsd-questions@FreeBSD.ORG Wed Mar 31 09:29:25 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D875C16A4CE for ; Wed, 31 Mar 2004 09:29:25 -0800 (PST) Received: from mail.takas.lt (mail-src.takas.lt [212.59.31.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E69543D5E for ; Wed, 31 Mar 2004 09:29:20 -0800 (PST) (envelope-from prodigy@punktas.lt) Received: from prodigy ([213.190.42.48]) by mail.takas.lt with Microsoft SMTPSVC(5.0.2195.6713); Wed, 31 Mar 2004 20:29:19 +0300 Message-ID: <003f01c4174d$c38ffa50$6900a8c0@prodigy> From: "Prodigy" To: "freebsd-questions" Date: Wed, 31 Mar 2004 20:27:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-OriginalArrivalTime: 31 Mar 2004 17:29:19.0479 (UTC) FILETIME=[B2E59870:01C41745] Subject: problems with ipfw + natd rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 17:29:26 -0000 Hello, i have a problem with ipfw + natd. The problem is that my FreeBSD server isn't routing internet. First I have used FreeBSD4.9-STABLE, then i tried to upgrade to FreeBSD4.9-RELEASE-p4. Result is the same - no internet for lan users. Take a look at my configuration files: rc.conf: defaultrouter="213.190.42.1" hostname="localhost" ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0" # inside (lan) interface ifconfig_rl1="inet 213.190.42.48 netmask 255.255.255.0" # outside (internet) interface #some other stuff goes here gateway_enable="YES" natd_enable="YES" natd_program="/sbin/natd" natd_interface="rl1" natd_flags="" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.conf" firewall_quiet="YES" firewall_logging="YES" ipfw.conf: fwcmd="/sbin/ipfw -q" ${fwcmd} -f flush ${fwcmd} add 100 divert 8668 ip from any to any via rl1 ${fwcmd} add 200 pass ip from any to any via lo0 ${fwcmd} add 300 deny log ip from any to 127.0.0.0/8 ${fwcmd} add 400 pass tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 ${fwcmd} add 500 pass tcp from any to any 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 ${fwcmd} add 600 pass udp from any to any 53 via rl1 ${fwcmd} add 700 pass udp from any 53 to any via rl1 ${fwcmd} add 800 pass ip from any to any via rl0 ${fwcmd} add 900 deny log all from any to any via rl1 # ipfw show 00100 80 48557 divert 8668 ip from any to any via rl1 00200 0 0 allow ip from any to any via lo0 00300 0 0 deny log ip from any to 127.0.0.0/8 00400 54 59678 allow tcp from any 22,80,110,119,143,443,3306,5190,6667-7000 to any via rl1 00500 26 1473 allow tcp from any to any dst-port 22,80,110,119,143,443,3306,5190,6667-7000 via rl1 00600 3 177 allow udp from any to any dst-port 53 via rl1 00700 0 0 allow udp from any 53 to any via rl1 00800 226 101368 allow ip from any to any via rl0 00900 62 40857 deny log ip from any to any via rl1 65535 1598 333640 deny ip from any to any /etc/sysctl.conf: net.link.ether.ipfw=1 # cat /etc/services | grep natd natd 8668/divert # Network Address Translation When I comment out 400 and 500 rules and add "allow all from any to any via rl1" it's all ok. The problem is somewhere in 400 and 500 rules.