From owner-freebsd-questions Thu Mar 25 16:12:25 1999 Delivered-To: freebsd-questions@freebsd.org Received: from cs.sfu.ca (cs.sfu.ca [142.58.111.1]) by hub.freebsd.org (Postfix) with ESMTP id 010F014D03 for ; Thu, 25 Mar 1999 16:12:23 -0800 (PST) (envelope-from tront@cs.sfu.ca) Received: from sockeye (sockeye [199.60.4.6]) by cs.sfu.ca (8.9.1/8.9.1) with SMTP id QAA08052; Thu, 25 Mar 1999 16:11:43 -0800 (PST) Message-Id: <3.0.3.32.19990325161143.00a12ea0@cs.sfu.ca> X-Sender: tront@cs.sfu.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 25 Mar 1999 16:11:43 -0800 To: ari From: tront@cs.sfu.ca Subject: Re: natd Cc: jonc@pinnacle.co.nz, freebsd-questions@FreeBSD.ORG In-Reply-To: <36F9E951.E14254A3@suutari.iki.fi> References: <3.0.3.32.19990324124823.00a9b340@cs.sfu.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 09:44 AM 3/25/99 +0200, ari wrote: >tront@cs.sfu.ca wrote: >> >> Hi Ari, I am a university instructor of a network admin course that has >> been using freebsd unix for 2 years. We are trying natd for the first time >> on freebsd 2.2.7. And after checking all available documentation we are >> stumped as to why we can't even ping from the gateway to a public network >> machine while natd is running. >> We have followed the instructions on the man page exactly! >> We can ping from the internal machine to the gateway and visa versa. But >> not through the gateway to the public network. And more interestingly, not >> even from the gateway machine to the public network (one hop!). When we >> kill natd and remove the divert firewall rule, ping is successful in all >> ways, including relay through the gateway, so the connectivity and routing >> is good. >> >> The divert rule firewall timestamp is showing that it is being used at the >> time we attempt to pings, so the firewall is running. And the firewall >> only has the specified 2 rules plus the final 65535 deny rule. Also, we >> found that running natd in verbose mode generated no error messages. And >> running in log mode didn't seem to generate any log in alias.log. >> >> We have spent hours on this, and are beginning to disagree with the man >> page that states "Running natd is fairly straight forward". Can you give >> us another pointer or two on where to look for some error in our setup. > One common mistake is to run natd on wrong interface. You are supposed > to run it on the interface that is connected to public network. No, that isn't the problem. > If you can send a little bit more details about your setup > (interface names, addresses etc.) I can try to help you out. I have attached a dump of all kinds of useful information verifying my set up according to the 'running natd' part of the man page. I hope this helps. I have some things you might want to worry about: 1) in our lab, the outside public network has one of the 'test' network addresses 172.16/16. It there a chance that natd will refuse to forward to such a public network? 2) the address we are pinging is on the same network as the gateway's public address (i.e. direction connection one hop). 3) because of 2) above, we do not have a specific or default route for the ping's destination. A route is in the routing table for that network by virtue of the interface being brought up. 4) we are not putting any natd commands in a file, assumably everything that is needed can be typed into the command line. Here is the results of what my student dumped. 172.16/16 is the public network. 172.17/16 is the inside network. 172.16.1.6 is ed0, the public interface of the gateway. Any help would be appreciated. Russ Tront, Instructor, School of Computing Science, SFU. ---------------------------------------------------------------------------- ---------------------------------- Script started on Wed Mar 24 22:44:56 1999 You have mail. fall.net1.cs{root}:cd /usr/src/sys/i386/conf fall.net1.cs{root}:ls FALL LINT PCCARD files.i386 options.i386 GENERIC Makefile.i386 devices.i386 majors.i386 fall.net1.cs{root}:fgrep IPFIRTEWALL FALL options IPFIREWALL options IPFIREWALL_VERBOSE fall.net1.cs{root}:fgrep IPDIVERT FALL options IPDIVERT $ Divert sockets fall.net1.cs{root}:cd /etc fall.net1.cs{root}:fgrep gateway rc.conf defaultrouter="NO" # Set to default gateway (or NO). gateway_enable="YES" # Set to YES if this host will be a gateway. ipxgateway_enable="NO" # Set to YES to enable IPX routing. forward_sourceroute="NO" # do source routing (only if gateway_enable is set to "YES") fall.net1.cs{root}:fgrep firewall rc.conf firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="open" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display natd_enable="NO" # Enable natd if firewall_enable. fall.net1.cs{root}:fgrep natd rc.conf natd_enable="NO" # Enable natd if firewall_enable. natd_interface="fxp0" # Public interface to use with natd if natd_enable. natd_flags="" # Additional flags for natd. fall.net1.cs{root}:fgrep natd services natd 8668/divert #Network Address Translation fall.net1.cs{root}:ipfw -t list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 65000 Wed Mar 24 22:46:05 1999 allow ip from any to any 65535 deny ip from any to any fall.net1.cs{root}:ipfw -f flush Flushed all rules. fall.net1.cs{root}:ipfw add divert natd all from any to any via ed0 00000 divert 8668 ip from any to any via ed0 fall.net1.cs{root}:ipfw add pass all from any to any 00000 allow ip from any to any fall.net1.cs{root}:netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 0 lo0 172.16 link#1 UC 0 0 172.18 link#2 UC 0 0 fall.net1.cs{root}:netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ed0 1500 00.40.95.76.90.4b 5 0 1 0 0 ed0 1500 172.16 fall 5 0 1 0 0 ed1 1500 00.40.95.76.e4.d1 0 0 1 0 0 ed1 1500 172.18 fall.net3.cs 0 0 1 0 0 lp0* 1500 0 0 0 0 0 tun0* 1500 0 0 0 0 0 tun1* 1500 0 0 0 0 0 sl0* 552 0 0 0 0 0 sl1* 552 0 0 0 0 0 ppp0* 1500 0 0 0 0 0 ppp1* 1500 0 0 0 0 0 lo0 16384 48 0 48 0 0 lo0 16384 your-net localhost 48 0 48 0 0 fall.net1.cs{root}:netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire localhost localhost UH 0 72 lo0 172.16 link#1 UC 0 0 172.18 link#2 UC 0 0 fall.net1.cs{root}:ipfw -t list 00100 Wed Mar 24 22:50:22 1999 divert 8668 ip from any to any via ed0 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any fall.net1.cs{root}:ping 172.16.1.7 PING 172.16.1.7 (172.16.1.7): 56 data bytes ^C --- 172.16.1.7 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss (((NOTE: this ping would have worked if not for the presence of the divert firewall rule and no natd running yet)))) fall.net1.cs{root}:natd -interface ed0 fall.net1.cs{root}:ping 172.16.1.7 PING 172.16.1.7 (172.16.1.7): 56 data bytes ^C --- 172.16.1.7 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss fall.net1.cs{root}:ps -aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND root 232 0.0 0.9 384 272 p0 R+ 10:52PM 0:00.00 ps -aux root 1 0.0 0.8 484 236 ?? Is 10:44PM 0:00.03 /sbin/init -- root 2 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00 (pagedaemon) root 3 0.0 0.1 0 12 ?? DL 10:44PM 0:00.00 (vmdaemon) root 4 0.0 0.1 0 12 ?? DL 10:44PM 0:00.07 (update) root 99 0.0 1.8 204 540 ?? Ss 10:44PM 0:00.16 syslogd daemon 109 0.0 1.9 176 564 ?? Is 10:44PM 0:00.01 portmap root 131 0.0 2.0 208 608 ?? Is 10:44PM 0:00.07 inetd root 134 0.0 1.7 332 512 ?? Ss 10:44PM 0:00.04 cron root 137 0.0 1.8 208 540 ?? Is 10:44PM 0:00.01 lpd root 164 0.0 1.4 168 420 ?? Is 10:44PM 0:00.00 moused -p /dev root 173 0.0 2.4 372 720 ?? Is 10:44PM 0:02.23 /usr/local/sbi root 196 0.0 1.1 460 328 v0 Is 10:44PM 0:00.19 -csh (csh) root 197 0.0 1.8 180 544 v1 Is+ 10:44PM 0:00.03 /usr/libexec/g root 198 0.0 1.8 180 544 v2 Is+ 10:44PM 0:00.03 /usr/libexec/g root 204 0.0 1.5 216 460 v0 S+ 10:44PM 0:00.22 script huang root 205 0.0 1.1 456 336 p0 Ss 10:44PM 0:00.13 -h -i (csh) root 230 0.0 1.7 228 492 ?? Is 10:51PM 0:00.00 natd -interfac root 0 0.0 0.0 0 0 ?? DLs 10:44PM 0:00.01 (swapper) fall.net1.cs{root}:ipfw -t list 00100 Wed Mar 24 22:51:37 1999 divert 8668 ip from any to any via ed0 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any fall.net1.cs{root}:ping 172.16.1.7 PING 172.16.1.7 (172.16.1.7): 56 data bytes ^C --- 172.16.1.7 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss fall.net1.cs{root}:ipfw -t list 00100 Wed Mar 24 22:52:36 1999 divert 8668 ip from any to any via ed0 00200 Wed Mar 24 22:50:09 1999 allow ip from any to any 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any fall.net1.cs{root}:netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 120 lo0 172.16 link#1 UC 0 0 172.16.1.7 link#1 UHLW 0 8 172.18 link#2 UC 0 0 fall.net1.cs{root}:netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire localhost localhost UH 0 120 lo0 172.16 link#1 UC 0 0 september link#1 UHLW 0 8 172.18 link#2 UC 0 0 fall.net1.cs{root}:netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ed0 1500 00.40.95.76.90.4b 8 0 1 0 0 ed0 1500 172.16 fall 8 0 1 0 0 ed1 1500 00.40.95.76.e4.d1 0 0 1 0 0 ed1 1500 172.18 fall.net3.cs 0 0 1 0 0 lp0* 1500 0 0 0 0 0 tun0* 1500 0 0 0 0 0 tun1* 1500 0 0 0 0 0 sl0* 552 0 0 0 0 0 sl1* 552 0 0 0 0 0 ppp0* 1500 0 0 0 0 0 ppp1* 1500 0 0 0 0 0 lo0 16384 224 0 224 0 0 lo0 16384 your-net localhost 224 0 224 0 0 fall.net1.cs{root}:ifconfig -a ed0: flags=8843 mtu 1500 inet 172.16.1.6 netmask 0xffff0000 broadcast 172.16.255.255 ether 00:40:95:76:90:4b ed1: flags=8843 mtu 1500 inet 172.18.1.1 netmask 0xffff0000 broadcast 172.18.255.255 ether 00:40:95:76:e4:d1 lp0: flags=8810 mtu 1500 tun0: flags=8010 mtu 1500 tun1: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 sl1: flags=c010 mtu 552 ppp0: flags=8010 mtu 1500 ppp1: flags=8010 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 fall.net1.cs{root}:ping 172.16.1.5 PING 172.16.1.5 (172.16.1.5): 56 data bytes ^C --- 172.16.1.5 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss fall.net1.cs{root}:ipfw -t list 00100 Wed Mar 24 22:55:51 1999 divert 8668 ip from any to any via ed0 00200 Wed Mar 24 22:55:27 1999 allow ip from any to any 65535 Wed Mar 24 22:47:35 1999 deny ip from any to any fall.net1.cs{root}:netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll ed0 1500 00.40.95.76.90.4b 12 0 1 0 0 ed0 1500 172.16 fall 12 0 1 0 0 ed1 1500 00.40.95.76.e4.d1 0 0 1 0 0 ed1 1500 172.18 fall.net3.cs 0 0 1 0 0 lp0* 1500 0 0 0 0 0 tun0* 1500 0 0 0 0 0 tun1* 1500 0 0 0 0 0 sl0* 552 0 0 0 0 0 sl1* 552 0 0 0 0 0 ppp0* 1500 0 0 0 0 0 ppp1* 1500 0 0 0 0 0 lo0 16384 416 0 416 0 0 lo0 16384 your-net localhost 416 0 416 0 0 fall.net1.cs{root}:netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire localhost localhost UH 0 440 lo0 172.16 link#1 UC 0 0 june link#1 UHLW 0 3 172.18 link#2 UC 0 0 fall.net1.cs{root}:netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire 127.0.0.1 127.0.0.1 UH 0 496 lo0 172.16 link#1 UC 0 0 172.16.1.5 link#1 UHLW 0 3 172.18 link#2 UC 0 0 fall.net1.cs{root}:exit Script done on Wed Mar 24 22:57:10 1999 *september's address 172.16.1.7 *june's address 172.16.1.5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message