From owner-freebsd-questions@FreeBSD.ORG Wed Sep 29 15:33:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C07616A4CE for ; Wed, 29 Sep 2004 15:33:30 +0000 (GMT) Received: from smtp2.tsgincorporated.com (smtp2.tsgincorporated.com [67.66.242.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE63243D49 for ; Wed, 29 Sep 2004 15:33:27 +0000 (GMT) (envelope-from micheal@tsgincorporated.com) Received: from support.tsgincorporated.com (support.tsgincorporated.com [67.66.242.9])i8TFXKsg010765; Wed, 29 Sep 2004 10:33:20 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Received: from micheal (micheal.tsgincorporated.com [67.66.242.77]) i8TFXFTD033425; Wed, 29 Sep 2004 10:33:15 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Message-ID: <06b201c4a639$a5e76ad0$4df24243@tsgincorporated.com> From: "Micheal Patterson" To: "Alex de Kruijff" , References: <20040928205839.L2872@genesis.ridley.unimelb.edu.au> <20040929150553.GB885@alex.lan> Date: Wed, 29 Sep 2004 10:33:13 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: by amavisd-new cc: r.dridan@ridley.unimelb.edu.au cc: freebsd-questions@freebsd.org Subject: Re: natd not doing anything X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Sep 2004 15:33:30 -0000 ----- Original Message ----- From: "Alex de Kruijff" To: Cc: ; Sent: Wednesday, September 29, 2004 10:05 AM Subject: Re: natd not doing anything > I changed the list from current@ to questions@, since you question is > not only for CURRENT. > > On Tue, Sep 28, 2004 at 09:11:39PM +1000, Rebecca Dridan wrote: > > Hi all: > > > > I am having some issues with network set-up. I'm running CURRENT as of > > 26th September, with an ipfw firewall and natd. I have one gateway > > machine with one external NIC and 3 internal NICs. At present nothing from > > my internal machines can get out. I've reduced the firewall (temporarily) to > > a basic > > ipfw -f flush > > divert natd ip from any to any via fxp0 > > allow ip from any to any > > > > When I turn logging on, I see the packets being diverted, and then > > accepted by later rules, but not being rewritten in between, ie > > > > ipfw: 30 Divert 8668 TCP 192.168.7.2:54619 :1025 out via fxp0 > > ipfw: 70 Accept TCP 192.168.7.2:54619 :1025 out via fxp0 > > >From the looks of that log entry, he's created a double NAT with 192.168.7.2 being the IP of fxp0, his outside interface. If his next link (router?) isn't configured to do NAT for the range he's using on fxp0, he'll not have a back channel for the traffic to respond to and routing will fail. The end result, is the problem that he's encountering. > > options IPFILTER_DEFAULT_BLOCK #block all packets by default > > options IPFIREWALL #firewall - need for mac filtering > > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > Your kernel is fine. Otherwise, you wouldn't have the ability to log or > to diverd. The later would result in packets being throuwn away at rule > 30. > He has both accept and block as the default configuration for the firewall. That's not fine. I honestly don't know if it may cause a conflict with them both defined nor which one would take precedence when both configured. I would recommend removing one or the other for the default action he wishes his firewall to take. -- Micheal Patterson Senior Communications Systems Engineer 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.