Date: Sat, 22 Jul 2000 12:57:25 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: NATD problem Message-ID: <Pine.BSF.4.21.0007221236300.18129-100000@snafu.adept.org> In-Reply-To: <OFB9C59C00.5BC06741-ON86256924.005ACEFF@MC.VANDERBILT.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 22 Jul 2000 George.Giles@mcmail.vanderbilt.edu wrote:
> My firewall works fine, but NATD does not route my gateway requests
> properly. The private ip addresses do not route from mx1 (iip) through mx0
> (oip).
Has this worked before, and only broken recently... or is this still a
first attempt to get it working?
What options do you have compiled into your kernel? I have:
# Firewall/NATD
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=64
options IPDIVERT
Does this show up in your dmesg output?
[69]mike@snafu{mike}$ dmesg|grep div
IP packet filtering initialized, divert enabled, rule-based forwarding
disabled, default to deny, logging limited to 64 packets/entry by default
What flags are you passing natd? What's in /etc/rc.conf? I have:
natd_enable="YES"
natd_flags="-s -m -u"
And see the following running:
[70]mike@snafu{mike}$ ps ax|grep nat
90 ?? Ss 0:24.61 /sbin/natd -s -m -u -n fxp0
For my firewall I have:
firewall_enable="YES"
firewall_type="/etc/rc.firewall.snafu"
But you're probably running firewall_type="OPEN" (which is fine for
initial setup/testing).
Is your box set to be a gateway? I have this in /etc/rc.conf:
gateway_enable="YES"
With these options, NATD's been working perfectly for me under RELENG_4
for awhile now. If you already have all of this, have you tested basic
connectivity? Can you ping from the inside host(s) to the gw
machine? Can you ping from the gw machine to the inside host(s)? Can the
gw machine ping outside? Are your NICs configured properly on all
machines (duplex, etc.)?
> # Allow inside out
> $fwcmd add divert natd all from any to any via ${oif}
>
> $fwcmd add pass tcp from ${iip} to ${oip} 8668 setup
> $fwcmd add pass tcp from ${iip} to any 8668
Have you tried just running firewall_type="OPEN"? I'm running a custom
rulechain, but OPEN basically goes like this:
divert 8668 ip from any to any via OIF
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
allow ip from any to any
Alternatively, you may want to take advantage of ipfw's new 'check-state'
capabilities and setup something like what I have...
divert 8668 ip from any to any via OIF
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
check-state
allow ip from OIP to any keep-state
allow ip from INW to any keep-state
#
# rules to allow specific inbound traffic
#
deny ip from any to any
OIF == Outside InterFace
OIP == Outside IP address
INW == Inside NetWork
This let's my LAN 'talk' to the outside world (rules are created on the
fly), allows inbound traffic I want, and deny's everything else.
Good luck,
-mrh
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007221236300.18129-100000>