From owner-freebsd-questions@FreeBSD.ORG Thu May 8 06:50:27 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DD3E37B404 for ; Thu, 8 May 2003 06:50:27 -0700 (PDT) Received: from mintaka.emea.mci.com (mintaka.wcom.co.uk [193.131.254.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id E22BF43FAF for ; Thu, 8 May 2003 06:50:23 -0700 (PDT) (envelope-from philip.payne@uk.mci.com) Received: from sirius.emea.mci.com ([166.59.189.29] helo=sirus.emea.mci.com) by mintaka.emea.mci.com with esmtp (Exim 4.12) id 19Dlmv-0007iK-00 for freebsd-questions@freebsd.org; Thu, 08 May 2003 14:50:21 +0100 Received: from ocampa.wcom.co.uk ([166.59.189.250] helo=ocampa.emea.mci.com) by sirus.emea.mci.com with esmtp (Exim 4.12) id 19Dlmf-0000YQ-00; Thu, 08 May 2003 14:50:05 +0100 Received: from [62.191.1.65] (helo=ukcamgate1.cbg.uk.corp.eu.uu.net) by ocampa.emea.mci.com with esmtp (Exim 4.14) id 19Dlme-0005yt-NU; Thu, 08 May 2003 13:50:04 +0000 Received: by ukcamgate1.cbg.uk.corp.eu.uu.net with Internet Mail Service (5.5.2653.19) id <28AC4K4Y>; Thu, 8 May 2003 14:50:53 +0100 Message-ID: <36D04A8168B2D41182250008C7E6F8780374F6D4@ukcamexch2.cbg.uk.corp.eu.uu.net> From: Philip Payne To: 'Wayne Swart' , FreeBSD Mailing list Date: Thu, 8 May 2003 14:50:42 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: -3.2 (---) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19Dlmf-0000YQ-00*JssUijaRLs2* Subject: RE: ipfw + natd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 13:50:27 -0000 Hi, > -----Original Message----- > From: Wayne Swart [mailto:fixx@fixx.co.za] > Sent: 08 May 2003 13:31 > To: FreeBSD Mailing list > Subject: ipfw + natd > > > Lo > > I am running FreeBSD4.8-RELEASE and have a problem with ipfw and natd. > > the two interfaces (dc0 and dc1) have the following ip setup. > > dc1 ip: 10.10.10.1 > dc0 ip: 196.x.x.x > > now i can't do any requests through my box to "the outside" > anymore, since > i added a default to deny rule. > > i use the following ipfw rules for the nat, but it does not > seem to have > any impact on the requests that has to go through it. > > ipfw add divert natd all from any to any via dc0 out keep-state > ipfw add allow all from 10.10.10.0/24 to any via dc0 out keep-state > ipfw add allow all from 10.10.10.0/24 to any via dc1 in keep-state > > is there an easier way to troubleshoot this? > > any help is appreciated... Generally speaking, a good way to start is to switch on logging on every rule and also include a specific deny all rule that logs at the end of your rules list. That way, you guarantee picking up what traffic is being dropped and by what rule.... therefore , you can start to see what useful traffic the previous default allow was letting through and allow it specifically. If your log is too noisy you'll either need to manipulate the output using grep -v or perl.... or an alternative is to start introducing more specific rules that do not log to filter out the noise. Once you're sorted, switch off the logging. Hope that helps. Phil.