From owner-freebsd-questions Mon Oct 2 17:13:58 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kearneys.ca (cr442866-a.crdva1.bc.wave.home.com [24.115.134.86]) by hub.freebsd.org (Postfix) with SMTP id 4ABD637B503 for ; Mon, 2 Oct 2000 17:13:56 -0700 (PDT) Received: (qmail 6979 invoked by uid 1000); 3 Oct 2000 00:18:20 -0000 Date: Mon, 2 Oct 2000 17:18:20 -0700 From: Brent Kearney To: Steve Jorgensen Cc: FreeBSD Questions Subject: Re: ipfw & natd config problems Message-ID: <20001002171820.B6866@kearneys.ca> References: <200010021919.NAA09032@khoral.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200010021919.NAA09032@khoral.com>; from steve@khoral.com on Mon, Oct 02, 2000 at 01:19:01PM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 02, 2000 at 01:19:01PM -0600, Steve Jorgensen wrote: > > I'm trying to set up a FreeBSD-4.1.1 box as a > firewall for my network. We're using ipfw and natd. > I've got things pretty much working, but I'm having > two problems.. > > #1: I get lots of messages like: > > natd[163]: failed to write packet back (Permission denied) > > I can't figure out why this is happening. > > #2: Externally, I can get to our webserver using the > public address (www.khoral.com). However, internally, > I get connection denied whenever I use www.khoral.com, > but the internal hostname works fine. Natd is redirecting > port 80 on the external interface to the internal web > server. Is there anyway to configure this so that the > external names for ftp and www work for internal machines? > > Thanks for any help. It sounds like ipfw is blocking access from 192.168. (or some other internal net) addresses on one interface. Look in your rc.firewall for a rule like: $fwcmd add deny all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny log all from any to 192.168.0.0:255.255.0.0 via ${oif} Aside from playing around with this type of fw rule, try starting natd in debug mode to get a closer look at what is going on. Good luck! -Brent --------------------------------------------------------------- Brent Kearney brent@kearneys.ca "...thus the metric system did not really catch on in the States, unless you count the increasing popularity of the nine-millimeter bullet." --Dave Barry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message