From owner-freebsd-questions@FreeBSD.ORG Wed Sep 29 15:05:58 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D20616A4CE for ; Wed, 29 Sep 2004 15:05:58 +0000 (GMT) Received: from smtp18.wxs.nl (smtp18.wxs.nl [195.121.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D88243D2F for ; Wed, 29 Sep 2004 15:05:57 +0000 (GMT) (envelope-from freebsd@akruijff.dds.nl) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp18.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0I4T00C575XWMH@smtp18.wxs.nl> for freebsd-questions@freebsd.org; Wed, 29 Sep 2004 17:05:56 +0200 (CEST) Received: from alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.10/8.12.10) with ESMTP id i8TF5tQF093565; Wed, 29 Sep 2004 17:05:55 +0200 Received: (from akruijff@localhost) by alex.lan (8.12.10/8.12.10/Submit) id i8TF5rZm093560; Wed, 29 Sep 2004 17:05:53 +0200 Content-return: prohibited Date: Wed, 29 Sep 2004 17:05:53 +0200 From: Alex de Kruijff In-reply-to: <20040928205839.L2872@genesis.ridley.unimelb.edu.au> To: sysadmin@ridley.unimelb.edu.au Message-id: <20040929150553.GB885@alex.lan> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.2.1i References: <20040928205839.L2872@genesis.ridley.unimelb.edu.au> X-Authentication-warning: alex.lan: akruijff set sender to freebsd@akruijff.dds.nl using -f cc: r.dridan@ridley.unimelb.edu.au cc: freebsd-questions@freebsd.org Subject: Re: natd not doing anything X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Sep 2004 15:05:58 -0000 I changed the list from current@ to questions@, since you question is not only for CURRENT. On Tue, Sep 28, 2004 at 09:11:39PM +1000, Rebecca Dridan wrote: > Hi all: > > I am having some issues with network set-up. I'm running CURRENT as of > 26th September, with an ipfw firewall and natd. I have one gateway > machine with one external NIC and 3 internal NICs. At present nothing from > my internal machines can get out. I've reduced the firewall (temporarily) to > a basic > ipfw -f flush > divert natd ip from any to any via fxp0 > allow ip from any to any > > When I turn logging on, I see the packets being diverted, and then > accepted by later rules, but not being rewritten in between, ie > > ipfw: 30 Divert 8668 TCP 192.168.7.2:54619 :1025 out via fxp0 > ipfw: 70 Accept TCP 192.168.7.2:54619 :1025 out via fxp0 > > and the packets never get to the remote IP. I can see natd running with > ps, but even when I run it on the command line with -v it doesn't seem to > do anything. > > Is there something I'm missing? Something else I could check? I've attched > the relevant bits of my rc.conf and kernel conf below. Any other > information that would be useful, please ask. > > Thanks, > > Bec > > (please CC me with any replies) > > The relevant bits of rc.conf: > firewall_enable="YES" # Set to YES to enable firewall > functionality > firewall_script="/etc/rc.firewall.local" # Which script to run to set up > the firewall > firewall_quiet="YES" # Set to YES to suppress rule display > > # Enable routing > gateway_enable="YES" # Set to YES if this host will be a > gateway. > natd_enable="YES" > natd_interface="fxp0" > natd_flags="-u" Your rc.conf seems ok. > > kernel config: > > options IPFILTER #ipfilter support > options IPFILTER_LOG #ipfilter logging > options IPFILTER_DEFAULT_BLOCK #block all packets by default > options IPFIREWALL #firewall - need for mac filtering > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > default > options IPFIREWALL_FORWARD #enables changing of packet dest > options IPDIVERT #divert IP sockets, used by ipfw divert Your kernel is fine. Otherwise, you wouldn't have the ability to log or to diverd. The later would result in packets being throuwn away at rule 30. Can you add the output of ifconfig to this all? (i.e. has your fxp0 public IP?) -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/