From owner-freebsd-ipfw Sun Jun 2 11: 4:26 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from moutvdomng1.kundenserver.de (moutvdomng1.kundenserver.de [195.20.224.131]) by hub.freebsd.org (Postfix) with ESMTP id D26B437B406; Sun, 2 Jun 2002 11:04:16 -0700 (PDT) Received: from [195.20.224.219] (helo=mrvdom03.kundenserver.de) by moutvdomng1.kundenserver.de with esmtp (Exim 3.22 #2) id 17EZi7-0005ja-00; Sun, 02 Jun 2002 20:04:11 +0200 Received: from p3e9e198d.dip0.t-ipconnect.de ([62.158.25.141] helo=encephalon.de) by mrvdom03.kundenserver.de with esmtp (Exim 2.12 #3) id 17EZi6-0005XA-00; Sun, 2 Jun 2002 20:04:11 +0200 Received: from chuckie.encephalon.de (localhost.encephalon.de [127.0.0.1]) by encephalon.de (8.12.3/8.11.6) with ESMTP id g52I5j0p001296; Sun, 2 Jun 2002 20:05:45 +0200 (CEST) (envelope-from plankalkuel@chuckie.encephalon.de) Received: (from plankalkuel@localhost) by chuckie.encephalon.de (8.12.3/8.12.3/Submit) id g52I5h5o001293; Sun, 2 Jun 2002 20:05:43 +0200 (CEST) (envelope-from plankalkuel) Date: Sun, 2 Jun 2002 20:05:39 +0200 From: "a.s.gruner" To: freebsd-ipfw@freebsd.org Cc: freebsd-questions@freebsd.org Subject: ipfw+natd+ppp problem Message-ID: <20020602200539.A1206@encephalon.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-Operating-System: FreeBSD 4.6-RC i386 X-Editor: vi Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. I have some problems with setting up ipfw+ppp+natd on my FreeBSD 4.6-RC machine. ppp is working perfectly (user ppp). Now I want to run ipfw as firewall and natd for the windows box. FreeBSD Box has the interface xl0 with the IP 192.168.0.1 Windows Box has the IP 192.168.0.2 I can ping both of them. But i am not able to connect to the internet with the windows box via the freebsd box. Ok, first the configuration: /etc/rc.conf: (just the parts for ipfw and natd) gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/firewall/fwrules" natd_program="/sbin/natd" natd_enable="YES" natd_interface="tun0" natd_flags="-dynamic" /etc/firewall/fwrules: ipfw add 65534 allow ip from any to any Yeah, i know there is no rule right now, it is all allowed. Well, on my FreeBSD Box everything is working perfectly. Ah, my kernel, i insert these lines and compiles a new one before i did the above changes: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPDIVERT On my FreeBSD Box wwwoffle is also running, but if this proxy is running or not, there is no difference, windows box cant get to the internet.... On my windows box i cant ping to the outside, and cant get a webpage at all. I am running ppp like: #ppp >dial internet Hmm, well, i hope i havent forgot anything, so that someone can help me out of this. Uh, i read that, before natd is running, ppp has to run. Well, i am using a dial up modem connection and i dont want to run ppp on startup, so, is this the problem that i am running natd before i run ppp ? Well, if i kill natd, run ppp (connect to the internet) and start natd again, the windows box cant get a connection too. On the Windows Box, i have insert the DNS Server IP, like the one on the freebsd box in resolv.conf, and, the gateway IP is the IP of the freebsd Box, 192.168.0.1 (xl0). asg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 2 13:49:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id E8BD037B400; Sun, 2 Jun 2002 13:49:22 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 67ED9471DA; Sun, 2 Jun 2002 13:49:22 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 80120FEBE; Sun, 2 Jun 2002 13:49:19 -0700 (PDT) Message-ID: <3CFA84CF.E5AD5853@pantherdragon.org> Date: Sun, 02 Jun 2002 13:49:19 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "a.s.gruner" Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw+natd+ppp problem References: <20020602200539.A1206@encephalon.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG "a.s.gruner" wrote: > > Hi. > > I have some problems with setting up ipfw+ppp+natd on my FreeBSD > 4.6-RC machine. Have you tried using the ppp -nat function instead of natd? It generally seems to work better, and the extra features natd provides aren't really needed for basic dialup access (and you can make up for them with ipfw). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 2 16: 4:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id A7CD537B405; Sun, 2 Jun 2002 16:04:10 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020602230410.KBVZ11659.rwcrmhc53.attbi.com@blossom.cjclark.org>; Sun, 2 Jun 2002 23:04:10 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g52N49V35069; Sun, 2 Jun 2002 16:04:09 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 2 Jun 2002 16:04:08 -0700 From: "Crist J. Clark" To: "a.s.gruner" Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020602160408.J20911@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020602200539.A1206@encephalon.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020602200539.A1206@encephalon.de>; from plankalkuel@encephalon.de on Sun, Jun 02, 2002 at 08:05:39PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Jun 02, 2002 at 08:05:39PM +0200, a.s.gruner wrote: > Hi. > > I have some problems with setting up ipfw+ppp+natd on my FreeBSD > 4.6-RC machine. > > ppp is working perfectly (user ppp). Don't use natd(8) and ppp(8). ppp(8) has NAT builtin. Use the '-nat' switch or enable it in the ppp.conf file. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 2 22:17:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200]) by hub.freebsd.org (Postfix) with ESMTP id 9BE9737B406; Sun, 2 Jun 2002 22:17:16 -0700 (PDT) Received: from [172.19.20.61] (helo=mrvdomng0.kundenserver.de) by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #3) id 17EkDP-00073R-00; Mon, 3 Jun 2002 07:17:11 +0200 Received: from p3e9c24a2.dip0.t-ipconnect.de ([62.156.36.162] helo=encephalon.de) by mrvdomng0.kundenserver.de with esmtp (Exim 3.22 #2) id 17EkDO-0005y3-00; Mon, 03 Jun 2002 07:17:10 +0200 Received: from chuckie.encephalon.de (localhost.encephalon.de [127.0.0.1]) by encephalon.de (8.12.3/8.11.6) with ESMTP id g535Ij18000924; Mon, 3 Jun 2002 07:18:45 +0200 (CEST) (envelope-from plankalkuel@chuckie.encephalon.de) Received: (from plankalkuel@localhost) by chuckie.encephalon.de (8.12.3/8.12.3/Submit) id g535Ig8G000923; Mon, 3 Jun 2002 07:18:42 +0200 (CEST) (envelope-from plankalkuel) Date: Mon, 3 Jun 2002 07:18:35 +0200 From: "a.s.gruner" To: Darren Pilgrim Cc: freebsd-ipfw@freebsd.org, freebsd-questions@freebsd.org Subject: Re: ipfw+natd+ppp problem Message-ID: <20020603071835.A894@encephalon.de> References: <20020602200539.A1206@encephalon.de> <3CFA84CF.E5AD5853@pantherdragon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CFA84CF.E5AD5853@pantherdragon.org>; from dmp@pantherdragon.org on Sun, Jun 02, 2002 at 01:49:19PM -0700 X-Operating-System: FreeBSD 4.6-RC i386 X-Editor: vi Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. > Have you tried using the ppp -nat function instead of natd? It > generally seems to work better, and the extra features natd provides > aren't really needed for basic dialup access (and you can make up for > them with ipfw). No i havent, i kno that option but i want to use natd like it is described in an article on freebsd.org. It is strange that it is not working with me. I also read that ppp+natd is more powerfull then ppp -nat option. So, do you have an idea how i can fix my problem ? asg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 2 22:54:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from switzcpl.lib.in.us (socrates.switzcpl.lib.in.us [165.139.215.10]) by hub.freebsd.org (Postfix) with ESMTP id A65F437B404; Sun, 2 Jun 2002 22:54:42 -0700 (PDT) Received: from [192.168.100.2] (dialup1.switzcpl.lib.in.us [192.168.10.31]) by switzcpl.lib.in.us (8.9.3/8.9.3) with ESMTP id AAA55935; Mon, 3 Jun 2002 00:54:36 -0500 (EST) (envelope-from leclaire@switzcpl.lib.in.us) Date: Mon, 3 Jun 2002 00:54:35 -0500 (EST) From: Andre LeClaire X-X-Sender: To: "a.s.gruner" Cc: , Subject: Re: ipfw+natd+ppp problem In-Reply-To: <20020602200539.A1206@encephalon.de> Message-ID: <20020603003926.T335-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm not sure about ppp, but natd works great with pppd. However, it looks to me like you need a "divert natd" rule in your firewall script. Refer to /etc/rc.firewall. Actually, the easiest thing would be to delete the "firewall_script" line, and add "firewall_type="OPEN"" to /etc/rc.conf. Andre On Sun, 2 Jun 2002, a.s.gruner wrote: > Hi. > > I have some problems with setting up ipfw+ppp+natd on my FreeBSD > 4.6-RC machine. > > ppp is working perfectly (user ppp). > > Now I want to run ipfw as firewall and natd for the windows box. > FreeBSD Box has the interface xl0 with the IP 192.168.0.1 > Windows Box has the IP 192.168.0.2 > I can ping both of them. > > But i am not able to connect to the internet with the windows box via > the freebsd box. > Ok, first the configuration: > > /etc/rc.conf: > (just the parts for ipfw and natd) > > gateway_enable="YES" > firewall_enable="YES" > firewall_script="/etc/firewall/fwrules" > > natd_program="/sbin/natd" > natd_enable="YES" > natd_interface="tun0" > natd_flags="-dynamic" > > > /etc/firewall/fwrules: > > ipfw add 65534 allow ip from any to any > > > Yeah, i know there is no rule right now, it is all allowed. Well, on my > FreeBSD Box everything is working perfectly. > > Ah, my kernel, i insert these lines and compiles a new one before i did > the above changes: > > options IPFIREWALL > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPDIVERT > > > On my FreeBSD Box wwwoffle is also running, but if this proxy is running > or not, there is no difference, windows box cant get to the internet.... > > On my windows box i cant ping to the outside, and cant get a webpage at > all. > > I am running ppp like: > > #ppp > >dial internet > > Hmm, well, i hope i havent forgot anything, so that someone can help me > out of this. > > Uh, i read that, before natd is running, ppp has to run. Well, i am > using a dial up modem connection and i dont want to run ppp on startup, > so, is this the problem that i am running natd before i run ppp ? Well, > if i kill natd, run ppp (connect to the internet) and start natd again, > the windows box cant get a connection too. > > On the Windows Box, i have insert the DNS Server IP, like the one on the > freebsd box in resolv.conf, and, the gateway IP is the IP of the freebsd > Box, 192.168.0.1 (xl0). > > asg > > > > > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Jun 2 23:17:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id CE65537B40A; Sun, 2 Jun 2002 23:17:09 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020603061709.RFAY11426.rwcrmhc51.attbi.com@blossom.cjclark.org>; Mon, 3 Jun 2002 06:17:09 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g536H6037054; Sun, 2 Jun 2002 23:17:06 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 2 Jun 2002 23:17:06 -0700 From: "Crist J. Clark" To: "a.s.gruner" Cc: Darren Pilgrim , freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020602231706.K20911@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020602200539.A1206@encephalon.de> <3CFA84CF.E5AD5853@pantherdragon.org> <20020603071835.A894@encephalon.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020603071835.A894@encephalon.de>; from plankalkuel@encephalon.de on Mon, Jun 03, 2002 at 07:18:35AM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 03, 2002 at 07:18:35AM +0200, a.s.gruner wrote: > Hi. > > > Have you tried using the ppp -nat function instead of natd? It > > generally seems to work better, and the extra features natd provides > > aren't really needed for basic dialup access (and you can make up for > > them with ipfw). > > No i havent, i kno that option but i want to use natd like it is > described in an article on freebsd.org. It is strange that it is not > working with me. I also read that ppp+natd is more powerfull then ppp > -nat option. It depends. natd(8) and ppp(8) use the exact same code to do NAT, libalias(3). natd(8) has some additional options and since you can direct what goes to natd(8) using ipfw(8) rules, there is some more flexibility... However, that additional "flexibility" is only something else to go wrong if you do not really need it. > So, do you have an idea how i can fix my problem ? Well, the most obvious thing was that you didn't have a divert(4) rule in your firewall. But unless there is something you want to do with natd(8)-ipfw(8) that you can't do with ppp(8) '-nat,' I'd start by getting ppp(8) working right. If you still want to try out natd(8), wait to do it until after you have gotten ppp(8) working correctly. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 3 3:13:49 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from moutvdom01.kundenserver.de (moutvdom01.kundenserver.de [195.20.224.200]) by hub.freebsd.org (Postfix) with ESMTP id 2A21D37B406; Mon, 3 Jun 2002 03:13:44 -0700 (PDT) Received: from [195.20.224.219] (helo=mrvdom03.kundenserver.de) by moutvdom01.kundenserver.de with esmtp (Exim 2.12 #3) id 17Eoq3-0004qk-00; Mon, 3 Jun 2002 12:13:23 +0200 Received: from pec-1-20.tnt1.s2.uunet.de ([149.225.1.20] helo=encephalon.de) by mrvdom03.kundenserver.de with esmtp (Exim 2.12 #3) id 17Eoq2-0007Ws-00; Mon, 3 Jun 2002 12:13:23 +0200 Received: from chuckie.encephalon.de (localhost.encephalon.de [127.0.0.1]) by encephalon.de (8.12.3/8.11.6) with ESMTP id g53AEul0001707; Mon, 3 Jun 2002 12:14:56 +0200 (CEST) (envelope-from plankalkuel@chuckie.encephalon.de) Received: (from plankalkuel@localhost) by chuckie.encephalon.de (8.12.3/8.12.3/Submit) id g53AEr0A001706; Mon, 3 Jun 2002 12:14:53 +0200 (CEST) (envelope-from plankalkuel) Date: Mon, 3 Jun 2002 12:14:52 +0200 From: "a.s.gruner" To: Andre LeClaire Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020603121452.A1685@encephalon.de> References: <20020602200539.A1206@encephalon.de> <20020603003926.T335-100000@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020603003926.T335-100000@localhost>; from leclaire@switzcpl.lib.in.us on Mon, Jun 03, 2002 at 12:54:35AM -0500 X-Operating-System: FreeBSD 4.6-RC i386 X-Editor: vi Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. > I'm not sure about ppp, but natd works great with pppd. However, > it looks to me like you need a "divert natd" rule in your firewall Thats it. I just did not see that, or, it was not described that you need it to use ppp+natd. Thanks. Maybe you can help me with another questions, is it able that the windows box activates the ppp, so that ppp on the freebsd box is dialing the number of the provider ? So, right now, i have to dial on the freebsd box, and after that the windows box can connect. So can i dial from the windows box (the modem is conected to freebsd box). I dont want a permanent connection, just if i need it. asg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 3 3:17:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from moutvdomng0.schlund.de (moutvdomng0.kundenserver.de [195.20.224.130]) by hub.freebsd.org (Postfix) with ESMTP id B3EA937B405; Mon, 3 Jun 2002 03:17:47 -0700 (PDT) Received: from [195.20.224.204] (helo=mrvdom00.kundenserver.de) by moutvdomng0.schlund.de with esmtp (Exim 3.22 #2) id 17Eoty-0003cV-00; Mon, 03 Jun 2002 12:17:26 +0200 Received: from pec-1-20.tnt1.s2.uunet.de ([149.225.1.20] helo=encephalon.de) by mrvdom00.kundenserver.de with esmtp (Exim 2.12 #3) id 17Eotv-0002c1-00; Mon, 3 Jun 2002 12:17:24 +0200 Received: from chuckie.encephalon.de (localhost.encephalon.de [127.0.0.1]) by encephalon.de (8.12.3/8.11.6) with ESMTP id g53AIwl0001724; Mon, 3 Jun 2002 12:18:58 +0200 (CEST) (envelope-from plankalkuel@chuckie.encephalon.de) Received: (from plankalkuel@localhost) by chuckie.encephalon.de (8.12.3/8.12.3/Submit) id g53AIs79001723; Mon, 3 Jun 2002 12:18:54 +0200 (CEST) (envelope-from plankalkuel) Date: Mon, 3 Jun 2002 12:18:53 +0200 From: "a.s.gruner" To: "Crist J. Clark" Cc: Darren Pilgrim , freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020603121853.B1685@encephalon.de> References: <20020602200539.A1206@encephalon.de> <3CFA84CF.E5AD5853@pantherdragon.org> <20020603071835.A894@encephalon.de> <20020602231706.K20911@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020602231706.K20911@blossom.cjclark.org>; from crist.clark@attbi.com on Sun, Jun 02, 2002 at 11:17:06PM -0700 X-Operating-System: FreeBSD 4.6-RC i386 X-Editor: vi Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi. > Well, the most obvious thing was that you didn't have a divert(4) rule > in your firewall. But unless there is something you want to do with > natd(8)-ipfw(8) that you can't do with ppp(8) '-nat,' I'd start by > getting ppp(8) working right. If you still want to try out natd(8), > wait to do it until after you have gotten ppp(8) working correctly. It was "divert" i have just forgotten that one. Or, it was not described in the places i took a look. well well... (or i am blind....) And, ppp is working perfectly the last few years, so, it was just that damn "divert". But now it is working. Thanks. asg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 3 3:37:21 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from lexx.zssm.zp.ua (lexx.zssm.zp.ua [212.8.32.8]) by hub.freebsd.org (Postfix) with ESMTP id B4F3F37B400; Mon, 3 Jun 2002 03:37:04 -0700 (PDT) Received: from server.hermes-comp.zp.ua (germes-comp.zssm.zp.ua [212.8.32.132] (may be forged)) by lexx.zssm.zp.ua (8.9.2/8.9.2) with ESMTP id NAA10296; Mon, 3 Jun 2002 13:24:00 +0300 (EET DST) Received: from localhost (localhost [127.0.0.1]) by server.hermes-comp.zp.ua (8.11.3/8.11.3) with ESMTP id g53AKb429183; Mon, 3 Jun 2002 13:20:41 +0300 (EEST) (envelope-from stalker@hermes-comp.zp.ua) Date: Mon, 3 Jun 2002 13:20:37 +0300 (EEST) From: Alexander V Zubchenko To: "a.s.gruner" Cc: Andre LeClaire , , Subject: Re: ipfw+natd+ppp problem In-Reply-To: <20020603121452.A1685@encephalon.de> Message-ID: <20020603131702.Q29163-100000@server.hermes-comp.zp.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, All On Mon, 3 Jun 2002, a.s.gruner wrote: > Maybe you can help me with another questions, is it able that the > windows box activates the ppp, so that ppp on the freebsd box is dialing > the number of the provider ? So, right now, i have to dial on the > freebsd box, and after that the windows box can connect. So can i dial > from the windows box (the modem is conected to freebsd box). I dont want > a permanent connection, just if i need it. > > asg create user with ppp as shell, and login into freebsd box by telnet. In csh You may provide .logout to disconnect after logging out. With best for us all, Stalker. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 3 8:19:30 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from alpha.yumyumyum.org (dsl092-171-091.wdc1.dsl.speakeasy.net [66.92.171.91]) by hub.freebsd.org (Postfix) with ESMTP id 2096F37B401; Mon, 3 Jun 2002 08:19:25 -0700 (PDT) Received: from alpha.yumyumyum.org (localhost [127.0.0.1]) by alpha.yumyumyum.org (8.12.3/8.12.2) with ESMTP id g53FJ827009000; Mon, 3 Jun 2002 11:19:08 -0400 (EDT) (envelope-from culverk@alpha.yumyumyum.org) Received: from localhost (culverk@localhost) by alpha.yumyumyum.org (8.12.3/8.12.3/Submit) with ESMTP id g53FJ6Oi008997; Mon, 3 Jun 2002 11:19:06 -0400 (EDT) (envelope-from culverk@alpha.yumyumyum.org) Date: Mon, 3 Jun 2002 11:19:06 -0400 (EDT) From: Kenneth Culver To: "a.s.gruner" Cc: Darren Pilgrim , , Subject: Re: ipfw+natd+ppp problem In-Reply-To: <20020603071835.A894@encephalon.de> Message-ID: <20020603111841.R8996-100000@alpha.yumyumyum.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG You really should just use ppp -nat, natd, and ppp -nat use the same nat library, so they really are almost the same. Ken On Mon, 3 Jun 2002, a.s.gruner wrote: > Hi. > > > Have you tried using the ppp -nat function instead of natd? It > > generally seems to work better, and the extra features natd provides > > aren't really needed for basic dialup access (and you can make up for > > them with ipfw). > > No i havent, i kno that option but i want to use natd like it is > described in an article on freebsd.org. It is strange that it is not > working with me. I also read that ppp+natd is more powerfull then ppp > -nat option. > So, do you have an idea how i can fix my problem ? > > asg > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Jun 3 10:52:32 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by hub.freebsd.org (Postfix) with ESMTP id 9A40837B404; Mon, 3 Jun 2002 10:52:23 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020603175222.KGRJ20219.sccrmhc03.attbi.com@blossom.cjclark.org>; Mon, 3 Jun 2002 17:52:22 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g53HqKl38507; Mon, 3 Jun 2002 10:52:20 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 3 Jun 2002 10:52:20 -0700 From: "Crist J. Clark" To: "a.s.gruner" Cc: Darren Pilgrim , freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020603105220.A38492@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020602200539.A1206@encephalon.de> <3CFA84CF.E5AD5853@pantherdragon.org> <20020603071835.A894@encephalon.de> <20020602231706.K20911@blossom.cjclark.org> <20020603121853.B1685@encephalon.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020603121853.B1685@encephalon.de>; from plankalkuel@encephalon.de on Mon, Jun 03, 2002 at 12:18:53PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 03, 2002 at 12:18:53PM +0200, a.s.gruner wrote: > Hi. > > > Well, the most obvious thing was that you didn't have a divert(4) rule > > in your firewall. But unless there is something you want to do with > > natd(8)-ipfw(8) that you can't do with ppp(8) '-nat,' I'd start by > > getting ppp(8) working right. If you still want to try out natd(8), > > wait to do it until after you have gotten ppp(8) working correctly. > > It was "divert" i have just forgotten that one. Or, it was not described > in the places i took a look. well well... (or i am blind....) Might want to schedule a trip to the ophthalmologist. From natd(8), 1. You will need to adjust the /etc/rc.firewall script to taste. If you are not interested in having a firewall, the following lines will do: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any The second line depends on your interface (change `ed0' as appropri- ate). -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Jun 6 11:14:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 4AE5437B401; Thu, 6 Jun 2002 11:14:15 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020606181415.URIF2751.rwcrmhc52.attbi.com@blossom.cjclark.org>; Thu, 6 Jun 2002 18:14:15 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g56IECL93337; Thu, 6 Jun 2002 11:14:12 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Thu, 6 Jun 2002 11:14:12 -0700 From: "Crist J. Clark" To: "a.s.gruner" Cc: Andre LeClaire , freebsd-ipfw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ipfw+natd+ppp problem Message-ID: <20020606111412.A93321@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020602200539.A1206@encephalon.de> <20020603003926.T335-100000@localhost> <20020603121452.A1685@encephalon.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020603121452.A1685@encephalon.de>; from plankalkuel@encephalon.de on Mon, Jun 03, 2002 at 12:14:52PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jun 03, 2002 at 12:14:52PM +0200, a.s.gruner wrote: > > Hi. > > > I'm not sure about ppp, but natd works great with pppd. However, > > it looks to me like you need a "divert natd" rule in your firewall > > Thats it. I just did not see that, or, it was not described that you > need it to use ppp+natd. Thanks. > Maybe you can help me with another questions, is it able that the > windows box activates the ppp, so that ppp on the freebsd box is dialing > the number of the provider ? So, right now, i have to dial on the > freebsd box, and after that the windows box can connect. So can i dial > from the windows box (the modem is conected to freebsd box). I dont want > a permanent connection, just if i need it. You can use the '-auto' option to have ppp(8) bring up the link when it detects traffic that needs to go over it. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 8 20:19:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 2EDB737B403; Sat, 8 Jun 2002 20:19:10 -0700 (PDT) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g593J9q41863; Sat, 8 Jun 2002 20:19:09 -0700 (PDT) (envelope-from rizzo) Date: Sat, 8 Jun 2002 20:19:09 -0700 From: Luigi Rizzo To: ipfw@freebsd.org Subject: New ipfw code available Message-ID: <20020608201909.A41807@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Bcc to -current because it is relevant there as well -- sorry for the crosspost] Hi, over the past 2-3 weeks I have done an extensive rewrite of the ipfw code (userland + kernel) in an attempt to make it faster and more flexible. The idea (which I discussed a few times on the mailing lists) was to replace the current ipfw rules (macroinstructions) with a set of microinstructions, each of them performing a single operation such as matching an address, or a port range, or a protocol flag, etc. -- much in the spirit of BPF and derivatives -- and to let the userland front-end compile ipfw(8) commands into an appropriate set of microinstructions. There are several advantages in using this technique: first of all, instructions are typically shorter and faster, because the former code had to check for the presence of all the possible options in a rule, whereas the new one can simply do just the things that are required -- e.g. an instruction like allow ip from 1.2.3.0/24 to any translates to a couple of microinstructions (whose complete implementation is below the instructions themselves): O_IP_DST if (((ipfw_insn_ip *)cmd)->addr.s_addr == (dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr)) goto cmd_match; goto cmd_fail; O_ACCEPT: retval = 0; /* accept */ goto accept; But there is a lot more -- the instruction set is easily extensible, and without backward compatibility problems. Furthermore, you can build (and I have already implemented them) more complex rules by assembling microinstructions with OR and NOT operands. I.e. you can write something like: pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25,1024-4095 \ to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50 You get the idea... I have a fairly complete version of the above code at the moment, which is only missing a small set of functionalities (ip/tcp flags matching, "log" and fixing hooks to the stateful code). However the glue to implement all the missing pieces is already there, it is just a matter of adding a few lines of code and testing things. Other than that, the code is meant to be fully compatible with the old syntax so you will not have to rewrite your existing rulesets. I have put a preliminary snapshot of this code (for CURRENT) at http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz It replaces the following files from a recent (2002/05/14) version of -current. sys/netinet/ip_dummynet.c sys/netinet/ip_fw.c sys/netinet/ip_fw.h sbin/ipfw/ipfw.c I would be very grateful if someone could have a look at the code, maybe give it a try, and see e.g. how it compiles your typical ruleset and whether the new extensions can make your ipfw rulesets simpler. Feedback welcome, both on the architecture and on the implementation. NOTE: if people wonder why I did not use BPF and reinvented the wheel: the keyword is "backward compatiblity" -- i thought it was a bit too complex to compile the existent ipfw syntax into BPF, especially because BPF at least as far as i know does not handle UIDs, and GIDs and interface matches and different "actions" than match or not match, so i would have had to extend the code anyways, at which point i thought I could as well write my own microinstruction set... cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) Mobile +39-347-0373137 -----------------------------------+------------------------------------- to thanks luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sat Jun 8 21: 8:40 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.robhughes.com (12-237-138-77.client.attbi.com [12.237.138.77]) by hub.freebsd.org (Postfix) with SMTP id 26C1937B400 for ; Sat, 8 Jun 2002 21:08:37 -0700 (PDT) Received: (qmail 38114 invoked from network); 9 Jun 2002 04:08:36 -0000 Received: from hexch01.robhughes.com (192.168.1.3) by ns2.robhughes.com with SMTP; 9 Jun 2002 04:08:36 -0000 Received: from kahuna-ws.robhughes.com ([192.168.1.16]) by HEXCH01.robhughes.com with Microsoft SMTPSVC(5.0.2195.4905); Sat, 8 Jun 2002 23:08:36 -0500 Subject: Re: New ipfw code available From: Rob Hughes To: ipfw@freebsd.org In-Reply-To: <20020608201909.A41807@iguana.icir.org> References: <20020608201909.A41807@iguana.icir.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Hqh2pPOEGe+QmuqBaYlF" X-Mailer: Ximian Evolution 1.0.5 (1.0.5-2) Date: 08 Jun 2002 23:08:36 -0500 Message-Id: <1023595716.7373.17.camel@kahuna-ws.robhughes.com> Mime-Version: 1.0 X-OriginalArrivalTime: 09 Jun 2002 04:08:36.0438 (UTC) FILETIME=[53F68F60:01C20F6B] Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-Hqh2pPOEGe+QmuqBaYlF Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2002-06-08 at 22:19, Luigi Rizzo wrote: > [Bcc to -current because it is relevant there as well -- sorry for the > crosspost] >=20 >=20 > Hi, > over the past 2-3 weeks I have done an extensive rewrite of the > ipfw code (userland + kernel) in an attempt to make it faster and > more flexible. Just incredible work. When (not if) this is completed, ipfw will undoubtedly be the best OSS firewalling code anywhere. --=-Hqh2pPOEGe+QmuqBaYlF Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQA9AtTE/9y+qWKu6HERAtxGAJwKFgbwLJF/eI5Nw733MWRK06cw5ACfcODC otWJ52IMX3YORXvlKPlb1zo= =Yl8P -----END PGP SIGNATURE----- --=-Hqh2pPOEGe+QmuqBaYlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message