From owner-freebsd-questions Sun Feb 17 1: 3:35 2002 Delivered-To: freebsd-questions@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id A8F1C37B402 for ; Sun, 17 Feb 2002 01:03:31 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020217090331.WIUV2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Sun, 17 Feb 2002 09:03:31 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1H93VM29972; Sun, 17 Feb 2002 01:03:31 -0800 (PST) (envelope-from cjc) Date: Sun, 17 Feb 2002 01:03:30 -0800 From: "Crist J. Clark" To: Tim Fulmer Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd and redirect_port Message-ID: <20020217010330.I48401@blossom.cjclark.org> References: <000a01c1b5bf$b94b5ef0$f2dca8c0@athena> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000a01c1b5bf$b94b5ef0$f2dca8c0@athena>; from tfulmer@dslextreme.com on Thu, Feb 14, 2002 at 05:25:59PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 05:25:59PM -0800, Tim Fulmer wrote: > > > Hi All, > > Having a bit of trouble with natd. > > Here's the setup : > > Internet > | > 66.Q.X.Y > 192.168.A.1---->192.168.A.2 > 192.168.B.1 > +--->192.168.B.2 > > I am browsing from 192.168.B.2. > > compiled a kernel with added options : > > options CPU_FASTER_5X86_FPU > options NO_F00F_HACK > options TCP_DROP_SYNFIN > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=100 > options IPDIVERT > > > relevant rc.conf : > > gateway_enable="YES" > ifconfig_rl0="inet 66.Q.X.Y netmask 255.255.255.0" > ifconfig_rl0_alias0="inet 66.Q.X.Z netmask 255.255.255.255" > firewall_enable="YES" > firewall_type="OPEN" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > > > and natd.conf : > > redirect_port tcp 192.168.A.2:80 80 > > > and am still getting the local apache installation when I point a browser at 66.Q.X.Y, though the connection sharing works fine from both internal nets. At some point in the future redirect_address may also be a good idea, but right now that is non-functional as well. > > Any suggestions would be greatly appreciated. You are saying that the redirect does not work when you try to connect from the NAT'ed network? This is expected. When you send the SYN to 66.Q.X.Y it goes to the gateway on the internal interface. It goes through your firewall rules and is either accepted or denied (you didn't show us the rules). If it is denied, story over. If it is accepted, the machine recognizes 66.Q.X.Y as its own address and processes the packet. And you are apparently running a webserver on this machine so it responds as expected. This is apparently not what you expect? natd(8) is only passed packets from ipfw(8) via the 'divert' rule when the packets are crossing the rl0 interface. In this situation, the packets never cross rl0, never go to natd(8), and translation will never occur. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message