Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Jul 2000 12:57:25 -0700 (PDT)
From:      Mike Hoskins <mike@adept.org>
To:        George.Giles@mcmail.vanderbilt.edu
Cc:        freebsd-security@freebsd.org
Subject:   Re: NATD problem
Message-ID:  <Pine.BSF.4.21.0007221236300.18129-100000@snafu.adept.org>
In-Reply-To: <OFB9C59C00.5BC06741-ON86256924.005ACEFF@MC.VANDERBILT.EDU>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 22 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote:

> My firewall works fine, but NATD does not route my gateway requests
> properly. The private ip addresses do not route from mx1 (iip) through mx0
> (oip).

Has this worked before, and only broken recently...  or is this still a
first attempt to get it working?

What options do you have compiled into your kernel?  I have:

	# Firewall/NATD
	options IPFIREWALL  
	options IPFIREWALL_VERBOSE
	options IPFIREWALL_VERBOSE_LIMIT=64
	options IPDIVERT

Does this show up in your dmesg output?

	[69]mike@snafu{mike}$ dmesg|grep div
	IP packet filtering initialized, divert enabled, rule-based forwarding
	disabled, default to deny, logging limited to 64 packets/entry by default

What flags are you passing natd?  What's in /etc/rc.conf?  I have:

	natd_enable="YES"
	natd_flags="-s -m -u"

And see the following running:

	[70]mike@snafu{mike}$ ps ax|grep nat
	   90  ??  Ss     0:24.61 /sbin/natd -s -m -u -n fxp0

For my firewall I have:

	firewall_enable="YES"
	firewall_type="/etc/rc.firewall.snafu"

But you're probably running firewall_type="OPEN" (which is fine for
initial setup/testing).

Is your box set to be a gateway?  I have this in /etc/rc.conf:

	gateway_enable="YES"

With these options, NATD's been working perfectly for me under RELENG_4
for awhile now.  If you already have all of this, have you tested basic
connectivity?  Can you ping from the inside host(s) to the gw
machine?  Can you ping from the gw machine to the inside host(s)?  Can the
gw machine ping outside?  Are your NICs configured properly on all
machines (duplex, etc.)?

>    # Allow inside out
>     $fwcmd add divert natd all from any to any via ${oif}
> 
>    $fwcmd add pass tcp from ${iip} to ${oip} 8668 setup
>     $fwcmd add pass tcp from ${iip} to any 8668

Have you tried just running firewall_type="OPEN"?  I'm running a custom
rulechain, but OPEN basically goes like this:

	divert 8668 ip from any to any via OIF
	allow ip from any to any via lo0
	deny ip from any to 127.0.0.0/8
	allow ip from any to any

Alternatively, you may want to take advantage of ipfw's new 'check-state'
capabilities and setup something like what I have...

	divert 8668 ip from any to any via OIF
	allow ip from any to any via lo0
	deny ip from any to 127.0.0.0/8
	check-state
	allow ip from OIP to any keep-state
	allow ip from INW to any keep-state
	#
	# rules to allow specific inbound traffic
	#
	deny ip from any to any

OIF == Outside InterFace
OIP == Outside IP address
INW == Inside NetWork

This let's my LAN 'talk' to the outside world (rules are created on the
fly), allows inbound traffic I want, and deny's everything else.

Good luck,

-mrh



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007221236300.18129-100000>