From owner-freebsd-stable  Fri Jul 13 12:30:11 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id A8D1337B406
	for <freebsd-stable@FreeBSD.ORG>; Fri, 13 Jul 2001 12:30:07 -0700 (PDT)
	(envelope-from dillon@earth.backplane.com)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.3/8.11.2) id f6DJSi868492;
	Fri, 13 Jul 2001 12:28:44 -0700 (PDT)
	(envelope-from dillon)
Date: Fri, 13 Jul 2001 12:28:44 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200107131928.f6DJSi868492@earth.backplane.com>
To: Mike Hoskins <mike@adept.org>
Cc: freebsd-stable@FreeBSD.ORG
Subject: Re: $diety, I hate natd.
References:  <Pine.BSF.4.21.0107122019001.4264-100000@snafu.adept.org>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


:
:On Thu, 12 Jul 2001, Matt Dillon wrote:
:
:>     My new 'firewall' manual page has an ipfw example of a natd setup.
:>     It might help.  You need a relatively recent -stable to have the
:>     man page.
:
:I see the page...  Thanks, btw.  However, it still seems fubar.  Like I
:said before, natd's configuration looks simple enough, but packets aren't
:getting through.  If I add an ipfw rule to just allow traffic to the
:outside port (8080), I see incoming packets hitting the rule...  but no
:connection (no real fowarding to the internal ip:port).  If I run a
:sniffer on the outside interface, I see connection attempts to
:8080...  run the same sniffer on the internal interface, nothing.
:
:My first thought was 'duh, the packets have to get to natd somehow so
:redirect_port can actually do something...' but changing the 8080 allow to
:a divert doesn't fix the problem.  So next I figured one piece of the
:conversation was dying...  somewhere...  I.e. inbound's fine but I'm
:fscking something up outbound...  but no denied packets in logs.
:
:It certainly seems like natd's working and ipfw just isn't allowing
:...

    Judicious use of ktrace on the natd process coupled with tcpdump on
    various interfaces might shed some light on your problem.  You should
    at least be able to determine whether natd is getting the packets and
    perhaps even tell where the packets are being crunched.

						-Matt

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message