Date: Wed, 29 Sep 2004 17:51:49 +0200 From: Alex de Kruijff <freebsd@akruijff.dds.nl> To: Micheal Patterson <micheal@tsgincorporated.com> Cc: sysadmin@ridley.unimelb.edu.au Subject: Re: natd not doing anything Message-ID: <20040929155149.GD885@alex.lan> In-Reply-To: <06b201c4a639$a5e76ad0$4df24243@tsgincorporated.com> References: <20040928205839.L2872@genesis.ridley.unimelb.edu.au> <20040929150553.GB885@alex.lan> <06b201c4a639$a5e76ad0$4df24243@tsgincorporated.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 29, 2004 at 10:33:13AM -0500, Micheal Patterson wrote: > From: "Alex de Kruijff" <freebsd@akruijff.dds.nl> > > I changed the list from current@ to questions@, since you question is > > not only for CURRENT. > > > > On Tue, Sep 28, 2004 at 09:11:39PM +1000, Rebecca Dridan wrote: > > > Hi all: > > > > > > I am having some issues with network set-up. I'm running CURRENT as of > > > 26th September, with an ipfw firewall and natd. I have one gateway > > > machine with one external NIC and 3 internal NICs. At present nothing > from > > > my internal machines can get out. I've reduced the firewall > (temporarily) to > > > a basic > > > ipfw -f flush > > > divert natd ip from any to any via fxp0 > > > allow ip from any to any > > > > > > When I turn logging on, I see the packets being diverted, and then > > > accepted by later rules, but not being rewritten in between, ie > > > > > > ipfw: 30 Divert 8668 TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0 > > > ipfw: 70 Accept TCP 192.168.7.2:54619 <remote IP>:1025 out via fxp0 > > > > > >From the looks of that log entry, he's created a double NAT with 192.168.7.2 > being the IP of fxp0, his outside interface. If his next link (router?) > isn't configured to do NAT for the range he's using on fxp0, he'll not have > a back channel for the traffic to respond to and routing will fail. The end > result, is the problem that he's encountering. > > <snip> > > > > options IPFILTER_DEFAULT_BLOCK #block all packets by default > > > options IPFIREWALL #firewall - need for mac > filtering > > > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > > <snip> > > > Your kernel is fine. Otherwise, you wouldn't have the ability to log or > > to diverd. The later would result in packets being throuwn away at rule > > 30. > > He has both accept and block as the default configuration for the firewall. > That's not fine. I honestly don't know if it may cause a conflict with them > both defined nor which one would take precedence when both configured. I > would recommend removing one or the other for the default action he wishes > his firewall to take. This is not a problem. First ipfw and ipf are two different firewall rules. Its perfectly ok for one to deny everything by default and the other to accept everything. Also both firewalls can be used to gether. Secondly where one to set something like this for one firewall, then that firewall would most likly pick only one setting. He probly don't use ipf and thus can remove IPFILTHER lines. All this does is to make the kernel a bit smaller. -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/FreeBSD/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040929155149.GD885>